Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Removing nondeletable icon

Started by Zylocks , Feb 08 2007 01:57 PM

This topic is locked

#1
Zylocks

Posted 08 February 2007 - 01:57 PM

Member

Member
182 posts

I dont think this goes into the Malware Removal section, although I couldn't find a better spot, so here goes.

I tried getting a no cd crack for a game my friend lent to me, although the crack didn't do anything. On top of it, I can't seem to delete the file. The file is called "bOZEr-Ra2YuriNoCD", and I get the following message when I try to delete it. "Cannot delete bOZEr-Ra2YuriNoCD: It is being used by another person or program. Close any programs that might be using the file ad try again". I went to windows task manager, and end the process to everything I could, although I still could not delete it.

Any help would be greatly appreciated.

#2
Crustyoldbloke

Posted 08 February 2007 - 03:04 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello and welcome back

Delete the file in safe mode.

#3
Zylocks

Posted 08 February 2007 - 03:26 PM

Member

Topic Starter
Member
182 posts

thanks for the relpy, although booting up into safemode and trying to delete it from there didn't seem to help.

#4
Crustyoldbloke

Posted 08 February 2007 - 06:37 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Please Click here!, and follow the recommendations in the guide.

If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

#5
Zylocks

Posted 08 February 2007 - 07:46 PM

Member

Topic Starter
Member
182 posts

nutts, I didn't think removing that one little thing would be so complicated. Although the steps sure wouldn't hurt for later use. I'll get on it, and reply back with a highjack log if it is not fixed.

thanks again for your time!.

#6
Crustyoldbloke

Posted 09 February 2007 - 02:32 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

No problem.

#7
Zylocks

Posted 10 February 2007 - 08:49 PM

Member

Topic Starter
Member
182 posts

Alright, I've been busy for a bit, but I ended up doing everything asked. All the spyware and virus killers didn't seem to help get rid of the icon. So, here is the Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 9:47:04 PM, on 10/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

and the uninstall log

µTorrent
Ad-Aware SE Personal
Adobe Reader 7.0.8
Adobe Shockwave Player
Apple Software Update
AVG Free Edition
AviSynth 2.5
Battlefield 2™
Battlefield 2: Special Forces
Battlefield 2142
DC++ 0.698
Diablo II
GameShadow
GameSpy Arcade
Half-Life® 2
HijackThis 1.99.1
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
LimeWire 4.12.6
Logitech iTouch Software
Logitech MouseWare 9.79.1
Microsoft .NET Framework 1.1
Microsoft Halo
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (1.5.0.9)
MSN Messenger 7.5
MSXML 4.0 SP2 Parser and SDK
Nero 7 Premium
NVIDIA Drivers
PowerISO
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Security Update for Windows XP (KB921883)
SoundMAX
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Starcraft
Steam™
SUPERAntiSpyware Free Edition
VideoLAN VLC media player 0.8.2
Videora iPod Converter 0.91
WinRAR archiver
WinZip
Xfire (remove only)

thanks again!
also, this wepage looks messed up. Is this just my computer, or did something happen to the site?

Edited by Zylocks, 10 February 2007 - 08:51 PM.

#8
Crustyoldbloke

Posted 11 February 2007 - 02:08 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Adam

This website is quite normal, so I think it might be your browser. Try FireFox:

http://www.mozilla.com/en-US/firefox/

Your HJT log is really not showing anything bad, just a little clutter which can easily be rectified.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab

Click on Fix Checked when finished and exit HijackThis.

You can uninstall these:

J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
LimeWire 4.12.6

Can you do a screen capture of this icon and also type in your reply the information found if you right click it and choose properties.

Edited by Crustyoldbloke, 11 February 2007 - 02:09 AM.

#9
Zylocks

Posted 11 February 2007 - 03:22 AM

Member

Topic Starter
Member
182 posts

Heh, it was kinda wierd seeing you call me by my name. I was a bit surprised at first, but I guess you saw it in the hijack log. :whistling:

.

As for the website I am using firefox... hrm.. maybe i clicked on some option on this website.. who knows, its not a big deal.

Alright, I deleted or fixed the couple things you told me to, and uninstalled the 3 J2SE things, although how come you wanted me to uninstall limewire? I also, think I attached the two pictures of the file like you asked... if they're not there just let me know.

Again, thanks for the help.

#10
Crustyoldbloke

Posted 11 February 2007 - 03:31 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Adam

Nothing attached.

How to provide a screen capture of the object

Select the window that you want to show us

Press the ALT key and the Print Screen (sometimes this key is labelled Prt Sc, or Prt Scr) simultaneously

Open Microsoft Paint (usually Start > All Programs > Accessories > Paint)

On the menu bar at the top, choose EDIT > PASTE

Save the file on the desktop by choosing FILE > SAVE AS

Click on the DESKTOP button on the left side of the dialog box, then in the FILE NAME box type: screen1, and under SAVE AS TYPE, choose JPEG

Click the SAVE button

Close Paint

To attach the file, click the ADD_REPLY button at the bottom of this thread. When the window opens, scroll below the message box to FILE ATTACHMENTS, click BROWSE, click the DESKTOP button, then choose SCREEN1, and then click the OPEN button.

Now click the ATTACH button, then click ADD_REPLY button

---------------------------------------------------------

Limewire?

P2P Security Risks

P2P (peer-to-peer) file-sharing is a very popular and easy way for users to share music, movies, videos, and other files over the Internet. However, using P2P software is very risky, because it makes you very susceptible to infection, attack, exposure of personal or company information, and even copyright infringement issues

Installation Of Malware
If you use P2P applications, it is difficult, if not impossible, to verify that the sources of the shared files are safe. P2P applications are often used by attackers to transmit malware (malicious software). The files may contain spyware, viruses, Trojan horses, or worms. When you download the files, your computer can become infected. Currently, experts have estimated that over 70% of the programmes shared on P2P networks contain some sort of malware.

Exposure Of Sensitive Information
When using P2P applications, you may unknowingly give other users access to personal or sensitive information that is stored on your computer. People may be able to access your financial or medical data, personal documents, sensitive corporate information, or other private information. If your computer contains other people's or companies' information, you may even become legally liable if their information gets released in this way.

Vulnerability To Unwanted Attacks
Many P2P applications require you to open specific ports on your firewall to send and receive the shared files through. However, by opening those ports, you may give attackers access to the information on your computer or enable them to attack your computer by taking advantage of any security vulnerabilities that may exist.

Self-Induced Denial Of Service
Downloading files with these applications causes a significant amount of traffic over your internet connection; it also relies on certain processes to happen on your computer. This activity may adversely limit or even block your access to the Internet while you are running these types of programmes.

Prosecution Due To Copyright Infringement
Downloading or sharing copyrighted software, music or videos is illegal. If you download them, even unknowingly, you may be faced with fines or other legal actions.

Conclusion
This article lists only a few of the risks that P2P programmes can open you up to. I urge you to strongly consider not using these types of programmes. If you still choose to use them, research what the best security settings are for the P2P programme you choose using your favourite search engine, use a very good firewall, run daily scans of your system with your antivirus and antispyware applications, constantly monitor the activity and file content in the shared directories to help ensure you don't violate any laws or expose your own data here.

Does that answer your reluctance?

#11
Zylocks

Posted 11 February 2007 - 01:39 PM

Member

Topic Starter
Member
182 posts

alright, thats what i tried, i dont know why it didn't attach so i'll just try it another way. i uploaded the pictures onto photobucket.

the first one here
http://s179.photobuc...=Screenshot.jpg

and the second one
http://s179.photobuc...screenshot2.jpg

#12
Crustyoldbloke

Posted 11 February 2007 - 02:09 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

OK, they are a bit small, but I get the general picture. It looks like a folder, presumably empty.

Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy ALL THE TEXT contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\Documents and Settings\Adam\Desktop\bOZEr-Ra2YuriNoCD

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger programme by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
Upon reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy & paste the content of c:\avenger.txt into your reply along with a fresh HJT log from normal mode, by using Add Reply

Download this file: combofix.exe to your Desktop

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

#13
Zylocks

Posted 11 February 2007 - 03:01 PM

Member

Topic Starter
Member
182 posts

Alright heres the Avenger log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tuvmtdjm

*******************

Script file located at: \??\C:\Documents and Settings\qmfavykh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\Documents and Settings\Adam\Desktop\bOZEr-Ra2YuriNoCD not found!
Deletion of folder C:\Documents and Settings\Adam\Desktop\bOZEr-Ra2YuriNoCD failed!

Could not process line:
C:\Documents and Settings\Adam\Desktop\bOZEr-Ra2YuriNoCD
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

The hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:59:41 PM, on 11/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

And finally the combo log:
"Adam" - 07-02-11 16:01:34 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))

2007-02-11 15:57 <DIR> d-------- C:\avenger
2007-02-08 21:21 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-02-08 20:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-08 20:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-02-08 20:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\SUPERAntiSpyware.com
2007-02-08 20:42 <DIR> d-------- C:\DOCUME~1\Adam\Application Data\SUPERAntiSpyware.com
2007-02-05 20:08 <DIR> d-------- C:\Westwood
2007-02-02 02:20 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-02-02 02:20 19 --a------ C:\WINDOWS\popcinfo.dat
2007-02-02 02:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Trymedia
2007-01-28 19:04 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-01-28 19:04 35,525 --a------ C:\WINDOWS\DIIUnin.dat
2007-01-28 19:04 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-01-28 19:00 <DIR> d-------- C:\Program Files\Diablo II
2007-01-28 16:26 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-01-28 15:50 611,064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-01-28 15:49 <DIR> d-------- C:\Program Files\arniWORX
2007-01-27 01:45 967 --a------ C:\WINDOWS\ScUnin.pif
2007-01-27 01:45 70,656 --a------ C:\WINDOWS\ScUnin.exe
2007-01-27 01:45 33,365 --a------ C:\WINDOWS\scunin.dat
2007-01-27 01:45 <DIR> d-------- C:\Program Files\Starcraft
2007-01-26 20:18 <DIR> d-------- C:\Program Files\PopCap Games
2007-01-25 19:37 <DIR> d-------- C:\Program Files\Microsoft Games
2007-01-23 22:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-01-15 15:47 <DIR> d-------- C:\Program Files\Electronic Arts

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-11 16:00 -------- d-------- C:\Program Files\mozilla firefox
2007-02-11 15:57 561 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-02-11 15:56 -------- d-------- C:\DOCUME~1\Adam\Application Data\utorrent
2007-02-11 04:13 -------- d-------- C:\Program Files\java
2007-02-11 03:55 -------- d-------- C:\Program Files\dc++
2007-02-08 21:21 -------- d-------- C:\Program Files\ea games
2007-02-08 17:08 3349 --a------ C:\WINDOWS\mozver.dat
2007-02-08 17:05 -------- d-------- C:\DOCUME~1\Adam\Application Data\xfire
2007-02-08 01:35 -------- d-------- C:\Program Files\fear
2007-02-07 23:37 -------- d-------- C:\Program Files\spywareblaster
2007-02-04 23:08 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-01-29 22:50 21840 --a----t- C:\WINDOWS\system32\sintfnt.dll
2007-01-29 22:50 17212 --a----t- C:\WINDOWS\system32\sintf32.dll
2007-01-29 22:50 12067 --a----t- C:\WINDOWS\system32\sintf16.dll
2007-01-26 12:32 -------- d---s---- C:\Program Files\xfire
2007-01-25 21:15 -------- d-------- C:\Program Files\gamespy arcade
2007-01-15 15:46 -------- d--h----- C:\Program Files\installshield installation information

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"Logitech Utility"="Logi_MwX.Exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NWEReboot"=""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Adam^Start Menu^Programs^Startup^Xfire.lnk]
"path"="C:\\Documents and Settings\\Adam\\Start Menu\\Programs\\Startup\\Xfire.lnk"
"backup"="C:\\WINDOWS\\pss\\Xfire.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Xfire\\xfire.exe "
"item"="Xfire"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCDEmuApp.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SCDEmuApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\SCDEmuApp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Valve\\Steam\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoraiPodConverter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VideoraiPodConverter"
"hkey"="HKLM"
"command"="C:\\Program Files\\VideoraiPodConverter\\VideoraiPodConverter.exe -t"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command F:\Setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
Shell\AutoRun\command H:\autorun.exe
Shell\readit\command notepad readme.doc

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-11 16:03:03

Edited by Zylocks, 11 February 2007 - 03:04 PM.

#14
Crustyoldbloke

Posted 11 February 2007 - 06:20 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello Adam

Well the Avenger log has an error code which says that the file doesn't exist.

Your combofix log shows two malware files for deletion.

Please boot into safe mode and delete these files:

C:\WINDOWS\iun6002.exe
C:\WINDOWS\popcinfo.dat

I have this feeling that the malware is from a game since I have never seen anything like it and the lettering using a mixture of upper and lower case is reminiscent of games.

What happens when you click the icon, is it a shortcut, if so to what?

#15
Zylocks

Posted 11 February 2007 - 06:50 PM

Member

Topic Starter
Member
182 posts

Yes, this was from a game. It was supposed to be a crack, so both me and my friend could play the game.

When I click it, msprompt? i think its called? maybe... pops up for a second, and then disappears.

I took a screenshot of it (it took a couple tries to get it).
Here it is.

http://s179.photobuc...screenshot3.jpg