Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help

Started by rumdup , Feb 05 2007 08:49 PM

This topic is locked

#16
miekiemoes

Posted 07 February 2007 - 02:46 PM

Malware Expert

Member
5,503 posts

Hello,

That killed the infection..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Did you read my previous post about Killbox?
Delete the Killbox.rar and RIGHTClick C:\!Killbox-folder and choose to copy to > extracted/zipped folder.
This should create a new Killbox.rar.
That's the one you should upload.
Let me know in your next reply if you uploaded it.

Also let me know in your next reply how things are running now. :whistling:

Edited by miekiemoes, 07 February 2007 - 02:47 PM.

#17
Metallica

Posted 08 February 2007 - 01:04 PM

Spyware Veteran

GeekU Moderator
33,101 posts

Sorry for disturbing you, but I would like to thank you both for submitting the files.

Most vendors will be calling this variant:
Virus.Win32.Fontra.c or similar.

Keep up the good work. :whistling:

#18
miekiemoes

Posted 08 February 2007 - 01:19 PM

Malware Expert

Member
5,503 posts

Thanks for the feedback Pieter. :whistling:

#19
rumdup

Posted 08 February 2007 - 07:15 PM

Member

Topic Starter
Member
43 posts

Did I get left out in the cold? :whistling:

#20
miekiemoes

Posted 08 February 2007 - 07:18 PM

Malware Expert

Member
5,503 posts

No you didn't.... You just didn't see that we are already on page 2 and that's why you most probably didn't see my post. :whistling:

Scroll 3 posts up. :blink:

Hello,

That killed the infection..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Did you read my previous post about Killbox?
Delete the Killbox.rar and RIGHTClick C:\!Killbox-folder and choose to copy to > extracted/zipped folder.
This should create a new Killbox.rar.
That's the one you should upload.
Let me know in your next reply if you uploaded it.

Also let me know in your next reply how things are running now.

Edited by miekiemoes, 08 February 2007 - 07:18 PM.

#21
rumdup

Posted 09 February 2007 - 08:11 AM

Member

Topic Starter
Member
43 posts

What do I do from here? :whistling:

#22
miekiemoes

Posted 09 February 2007 - 08:18 AM

Malware Expert

Member
5,503 posts

Hi,

Not sure if you performed my previous instructions, because it really seems that you are still watching page 1 and didn't see that we are already on page 2. I have sent you a PM to tell you this, in case you don't read this reply either.

I asked you to compress the Killbox-folder and submit it to the link I gave you, because you compressed Killbox.exe instead previously and submitted it.

Then I gave you instructions to fix leftovers in Hijackthis, and then I asked you how things are running now since the bad files are gone now.

So let me know how things are running now and submit the zipped/compressed killbox-folder. :whistling:

#23
rumdup

Posted 11 February 2007 - 05:00 PM

Member

Topic Starter
Member
43 posts

O.k. I'm still lost. Thank You for the reply but can we start from scratch again?

#24
miekiemoes

Posted 11 February 2007 - 05:07 PM

Malware Expert

Member
5,503 posts

Thank You for the reply but can we start from scratch again?

Ehm... what do you mean from scratch again? We cleaned the malware from your system previously. All I asked was to submit the killbox-folder (zipped one).

What is it that you don't understand? What do you want to know?

let me quote my latest instructions once again..

Hello,

That killed the infection..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Did you read my previous post about Killbox?
Delete the Killbox.rar and RIGHTClick C:\!Killbox-folder and choose to copy to > extracted/zipped folder.
This should create a new Killbox.rar.
That's the one you should upload.
Let me know in your next reply if you uploaded it.

Also let me know in your next reply how things are running now.

Please let me know what you don't understand in above instructions.
I also asked you how your computer is running now since we removed the malware but you still didn't answer this....

#25
rumdup

Posted 12 February 2007 - 12:07 PM

Member

Topic Starter
Member
43 posts

Well since we last spoke, I have accumlated other viruses according to my spyware and anti-virus software. Here is what I did:
#1: Ran combofix than Brute Force
#2: Ran cobofix again
#3: Ran hijack this software

Here are the logs:

"G" - 07-02-12 11:59:28 Service Pack 2
ComboFix 07-02-06.3 - Running from: "C:\Documents and Settings\G\Desktop\Spyware Files"

((((((((((((((((((((((((((((((( Files Created from 2007-01-12 to 2007-02-12 ))))))))))))))))))))))))))))))))))

2007-02-12 11:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-12 11:30 <DIR> d-------- C:\DOCUME~1\G\Application Data\SUPERAntiSpyware.com
2007-02-12 11:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-02-12 11:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-02-12 10:36 <DIR> d-------- C:\!KillBox
2007-02-07 20:17 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-02-07 20:17 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-02-07 20:17 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-02-07 20:17 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-02-07 20:17 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-02-07 20:17 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-02-07 20:17 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-02-07 20:17 <DIR> d-------- C:\Program Files\Alwil Software
2007-02-07 14:03 <DIR> d-------- C:\WINDOWS\ERDNT
2007-02-06 21:24 <DIR> d-------- C:\bfu
2007-02-06 12:40 <DIR> d-------- C:\bintheredunthat
2007-02-06 09:05 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-06 09:05 <DIR> d-------- C:\Program Files\Grisoft
2007-02-05 09:18 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-02-05 09:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe Systems
2007-02-03 18:24 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-02-03 18:19 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-01-18 17:59 <DIR> d-------- C:\DOCUME~1\G\Application Data\MSN6
2007-01-18 17:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\MSN6
2007-01-12 19:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\FLEXnet
2007-01-12 19:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-12 18:03 <DIR> d-------- C:\DOCUME~1\G\Application Data\BitTorrent
2007-01-12 18:02 <DIR> d-------- C:\Program Files\BitTorrent

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-12 11:19 -------- d-------- C:\Program Files\mozilla firefox
2007-02-12 10:44 -------- d-------- C:\Program Files\spywareguard
2007-02-12 10:39 -------- d-------- C:\Program Files\spywareblaster
2007-02-12 09:48 -------- d-------- C:\Program Files\Common Files\adobe
2007-02-05 13:34 14 --a------ C:\WINDOWS\system32\getfile.dat
2007-02-03 19:13 -------- d-------- C:\Program Files\google
2007-02-03 18:24 -------- d-------- C:\Program Files\java
2007-02-03 18:22 -------- d-------- C:\Program Files\creative
2007-02-03 16:27 -------- d-------- C:\DOCUME~1\G\Application Data\limewire
2007-01-30 09:53 -------- d---s---- C:\DOCUME~1\G\Application Data\microsoft
2007-01-12 19:43 -------- d-------- C:\DOCUME~1\G\Application Data\adobe
2007-01-10 18:53 -------- d-------- C:\Program Files\absolute sound recorder
2007-01-03 11:42 -------- d-------- C:\Program Files\uninstall body mass index calculator
2007-01-03 11:42 -------- d-------- C:\Program Files\body mass index calculator
2007-01-01 12:46 -------- d-------- C:\Program Files\acoustica audio converter pro
2007-01-01 11:34 -------- d-------- C:\Program Files\limewire
2007-01-01 09:55 -------- d--h----- C:\Program Files\installshield installation information
2006-12-26 14:27 -------- d-------- C:\DOCUME~1\G\Application Data\sun
2006-12-26 12:50 -------- d-------- C:\DOCUME~1\G\Application Data\playfirst
2006-12-26 12:49 -------- d-------- C:\Program Files\disney
2006-12-21 13:37 -------- d-------- C:\DOCUME~1\G\Application Data\versiontracker pro
2006-12-21 12:54 -------- d-------- C:\Program Files\windows media connect 2
2006-12-21 12:42 -------- d-------- C:\DOCUME~1\G\Application Data\sony corporation
2006-12-21 11:44 -------- d-------- C:\Program Files\acoustica cd label maker
2006-12-21 11:44 -------- d-------- C:\DOCUME~1\G\Application Data\help
2006-12-21 11:42 -------- d-------- C:\Program Files\sony
2006-12-21 11:42 -------- d-------- C:\Program Files\Common Files\sony shared
2006-12-21 11:42 -------- d-------- C:\Program Files\Common Files\installshield
2006-12-20 21:17 -------- d-------- C:\DOCUME~1\G\Application Data\ripit4me
2006-12-19 17:48 -------- d-------- C:\Program Files\ripit4me
2006-12-19 17:47 -------- d-------- C:\Program Files\dvd shrink
2006-12-19 17:46 -------- d-------- C:\Program Files\dvd decrypter
2006-12-12 12:26 -------- d-------- C:\DOCUME~1\G\Application Data\macromedia
2006-12-11 14:02 0 --a------ C:\WINDOWS\nsreg.dat
2006-12-11 10:26 2293 --a------ C:\WINDOWS\mozver.dat
2006-12-11 10:26 107132 --a------ C:\WINDOWS\uninstallfirefox.exe
2006-12-10 19:56 28921 --a------ C:\WINDOWS\hpoins03.dat
2006-12-10 19:26 151552 --------- C:\WINDOWS\system32\pxwma.dll
2006-12-10 19:26 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-12-10 19:26 104960 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-12-10 17:07 0 -rahs---- C:\MSDOS.SYS
2006-12-10 17:07 0 -rahs---- C:\IO.SYS
2006-12-10 17:07 0 --a------ C:\CONFIG.SYS
2006-12-10 17:07 0 --a------ C:\AUTOEXEC.BAT
2006-12-10 17:03 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2006-12-10 10:00 62 --ahs---- C:\DOCUME~1\G\Application Data\desktop.ini

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\AcroTray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
"backup"="C:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup"
"location"="Common Startup"
"item"="Google Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTracker Pro.lnk]
"backup"="C:\\WINDOWS\\pss\\VersionTracker Pro.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{0EB58CEE-07A5-43E6-9D68-69C0B38C13E1}\\New_Shortcut_S1699_A8EB5A2133B04A97AEEFDFB17E2E701D.exe /hide"
"item"="VersionTracker Pro"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SsAAD"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1165802195.job

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-12 12:01:15

ogfile of HijackThis v1.99.1
Scan saved at 12:01:34 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\G\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uthscsa.edu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165804355775
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

#26
rumdup

Posted 12 February 2007 - 12:11 PM

Member

Topic Starter
Member
43 posts

I am also running super Antisyware and avg anti-spyware as we I speak

#27
miekiemoes

Posted 12 February 2007 - 12:46 PM

Malware Expert

Member
5,503 posts

Hi,

Your logs look clean.

Well since we last spoke, I have accumlated other viruses according to my spyware and anti-virus software

Yes, it is normal that scanners still find some leftovers, but this time they should be able to delete the leftovers since we deleted the active malware already.
We also deleted anything suspicious that was present in the logs.
So performing an extra scan deals with the leftovers now. That's why I also always ask as a last step to perform a scan to deal with the leftovers.... But you are already doing this. :whistling:

Still one thing to perform though..

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6.0.
Scroll down to where it says "Java Runtime Environment (JRE) 6".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs:
- Java 2 Runtime Environment, SE v1.4.2
- J2SE Runtime Environment 5.0
- J2SE Runtime Environment 5.0 Update 6
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

#28
rumdup

Posted 13 February 2007 - 09:22 AM

Member

Topic Starter
Member
43 posts

Thank You tremendously for the help!

Have a wonderful day. I will download hijack log on my laptop and submit logs to see if it is o.k. too if you don't mind?

Thanks a mil

#29
miekiemoes

Posted 13 February 2007 - 09:35 AM

Malware Expert

Member
5,503 posts

Hi,

Yes, post the Hijackthislog from your laptop as well. :whistling:

#30
miekiemoes

Posted 23 February 2007 - 05:21 AM

Malware Expert

Member
5,503 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.