Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32.Trojandownloader.Agent Please Help

Started by crossya0va , Dec 19 2007 04:01 PM

  • Please log in to reply

#1
crossya0va
Posted 19 December 2007 - 04:01 PM

crossya0va

    New Member

  • Member
  • Pip
  • 4 posts
Win32.Trojandownloader.Agent

Can't get rid of it using Ad Aware Pro 2007. Everytime it's deleted, it comes back on a reboot. Other times it changes it name.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:31 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\mrofinu1044.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
E:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
E:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\WINDOWS\system32\ctfmon .exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\PeerGuardian2\pg2 .exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\WinAble\winable .exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\PROGRA~1\WNSXS~1\explorer.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\??curity\m?config.exe
E:\Documents and Settings\Joe\Desktop\HiJackThis(2).exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007 .exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F3 - REG:win.ini: load=E:\WINDOWS\system32\awvvs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {51DFF716-59FE-4279-B13A-3DA6F8B8C5BF} - E:\WINDOWS\system32\awvvs.dll
O2 - BHO: (no name) - {C5A9AD1B-1BAF-2B2A-8F2E-39E678F508ED} - E:\WINDOWS\system32\jswai.dll
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - E:\WINDOWS\system32\awturpq.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [runner1] E:\WINDOWS\mrofinu1044.exe 61A847B5BBF72813329F3C466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [AAWTray] E:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] E:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "E:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Roem] "E:\PROGRA~1\WNSXS~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Kcaqvz] "E:\Program Files\Common Files\??curity\m?config.exe"
O4 - HKCU\..\Run: [WinAble] E:\Program Files\WinAble\winable.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10091CC5-6F39-43A6-9827-40296B881789}: NameServer = 167.206.254.2,167.206.254.1
O20 - Winlogon Notify: awturpq - E:\WINDOWS\SYSTEM32\awturpq.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6508 bytes
  • 0

Advertisements

#2
racenutalways
Posted 24 December 2007 - 04:37 PM

racenutalways

    Member 1K

  • Retired Staff
  • 1,675 posts
Hello crossya0va and welcome to G2G, you are badly infected, this will take a few steps to get you cleaned up, let's start with this,

Please go HERE and click the "Download VundoFix" link.
Download VundoFix to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you also use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you also use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


SUPERAntiSpyware Home Edition (free version) - Download - Home Page

1. Install it and double-click the icon on your desktop to run it.
2. It will ask if you want to update the program definitions, click Yes.
3. Under Configuration and Preferences, click the Preferences button.
4. Click the Scanning Control tab.
5. Under Scanner Options make sure the following are checked:

1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Please leave the others unchecked.
5. Click the Close button to leave the control center screen.

6. On the main screen, under Scan for Harmful Software click Scan your computer.
7. On the left check C:\Fixed Drive.
8. On the right, under Complete Scan, choose Perform Complete Scan.
9. Click Next to start the scan. Please be patient while it scans your computer.
10. After the scan is complete a summary box will appear. Click OK.
11. Make sure everything in the white box has a check next to it, then click Next.
12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
13. To retrieve the removal information for me please do the following:

1. After reboot, double-click the SUPERAntispyware icon on your desktop.
2. Click Preferences. Click the Statistics/Logs tab.
3. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
4. It will open in your default text editor (such as Notepad/Wordpad).
5. Please highlight everything in the notepad, then right-click and choose copy.

14. Click close and close again to exit the program.
15. Save the log information. If needed (still infected) paste this info along with your HijackThis log.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
crossya0va
Posted 26 December 2007 - 03:57 PM

crossya0va

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here is the log after the vundo fix

EDIT: I have ran the vundofix after it supposedly removed everything, and it still finds the same bad files.....how to remove for good?!?!?!


VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 6:30:01 PM 12/19/2007

Listing files found while scanning....

E:\WINDOWS\mrofinu1044.exe
E:\WINDOWS\system32\awturpq.dll
E:\WINDOWS\system32\awvvs.dll
E:\WINDOWS\system32\awvvs.exe
E:\WINDOWS\system32\ljjheeb.dll
E:\windows\system32\svvwa.ini
E:\WINDOWS\system32\svvwa.ini2

Beginning removal...

Attempting to delete E:\WINDOWS\mrofinu1044.exe
E:\WINDOWS\mrofinu1044.exe Has been deleted!

Attempting to delete E:\WINDOWS\system32\awturpq.dll
E:\WINDOWS\system32\awturpq.dll Could not be deleted.

Attempting to delete E:\WINDOWS\system32\awvvs.dll
E:\WINDOWS\system32\awvvs.dll Could not be deleted.

Attempting to delete E:\WINDOWS\system32\awvvs.exe
E:\WINDOWS\system32\awvvs.exe Has been deleted!

Attempting to delete E:\WINDOWS\system32\ljjheeb.dll
E:\WINDOWS\system32\ljjheeb.dll Has been deleted!

Attempting to delete E:\windows\system32\svvwa.ini
E:\windows\system32\svvwa.ini Has been deleted!

Attempting to delete E:\WINDOWS\system32\svvwa.ini2
E:\WINDOWS\system32\svvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete E:\WINDOWS\system32\awturpq.dll
E:\WINDOWS\system32\awturpq.dll Could not be deleted.

Attempting to delete E:\WINDOWS\system32\awvvs.dll
E:\WINDOWS\system32\awvvs.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\awvvs.exe
E:\WINDOWS\system32\awvvs.exe Has been deleted!

Attempting to delete E:\windows\system32\svvwa.ini
E:\windows\system32\svvwa.ini Has been deleted!

Attempting to delete E:\WINDOWS\system32\svvwa.ini2
E:\WINDOWS\system32\svvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 4:46:58 PM 12/26/2007

Listing files found while scanning....

E:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
E:\WINDOWS\system32\awvvs.dll
E:\WINDOWS\system32\awvvs.exe
E:\windows\system32\svvwa.ini
E:\WINDOWS\system32\svvwa.ini2

Beginning removal...

Attempting to delete E:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
E:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe Has been deleted!

Attempting to delete E:\WINDOWS\system32\awvvs.dll
E:\WINDOWS\system32\awvvs.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\awvvs.exe
E:\WINDOWS\system32\awvvs.exe Has been deleted!

Attempting to delete E:\windows\system32\svvwa.ini
E:\windows\system32\svvwa.ini Has been deleted!

Attempting to delete E:\WINDOWS\system32\svvwa.ini2
E:\WINDOWS\system32\svvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 4:56:55 PM 12/26/2007

Listing files found while scanning....

Edited by crossya0va, 26 December 2007 - 04:00 PM.

  • 0

#4
crossya0va
Posted 26 December 2007 - 04:32 PM

crossya0va

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here is the log after the superantispyware scan

SUPERAntiSpyware Scan Log
Generated 12/26/2007 at 05:26 PM

Application Version : 3.6.1000

Core Rules Database Version : 3368
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 00:23:53

Memory items scanned : 430
Memory threats detected : 1
Registry items scanned : 5161
Registry threats detected : 17
File items scanned : 32028
File threats detected : 2

Adware.Vundo Variant
E:\WINDOWS\SYSTEM32\AWVVS.DLL
E:\WINDOWS\SYSTEM32\AWVVS.DLL
HKLM\Software\Classes\CLSID\{60178F36-3B6C-4073-8DD4-1FA04CFDEBE7}
HKCR\CLSID\{60178F36-3B6C-4073-8DD4-1FA04CFDEBE7}
HKCR\CLSID\{60178F36-3B6C-4073-8DD4-1FA04CFDEBE7}\InprocServer32
HKCR\CLSID\{60178F36-3B6C-4073-8DD4-1FA04CFDEBE7}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{6B0237AB-C9AF-444E-A79B-F4D5816A1999}
HKCR\CLSID\{6B0237AB-C9AF-444E-A79B-F4D5816A1999}
HKCR\CLSID\{6B0237AB-C9AF-444E-A79B-F4D5816A1999}\InprocServer32
HKCR\CLSID\{6B0237AB-C9AF-444E-A79B-F4D5816A1999}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{7524D628-BAB6-428E-9C32-6B51F0992003}
HKCR\CLSID\{7524D628-BAB6-428E-9C32-6B51F0992003}
HKCR\CLSID\{7524D628-BAB6-428E-9C32-6B51F0992003}\InprocServer32
HKCR\CLSID\{7524D628-BAB6-428E-9C32-6B51F0992003}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{EC22A15A-ED7E-40FA-AB15-D54BDD35F308}
HKCR\CLSID\{EC22A15A-ED7E-40FA-AB15-D54BDD35F308}
HKCR\CLSID\{EC22A15A-ED7E-40FA-AB15-D54BDD35F308}\InprocServer32
HKCR\CLSID\{EC22A15A-ED7E-40FA-AB15-D54BDD35F308}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7524D628-BAB6-428E-9C32-6B51F0992003}

Adware.Tracking Cookie
E:\Documents and Settings\Joe\Cookies\joe@2o7[1].txt

EDIT::::Even after this, I run the vundofix and it still shows that I am infected....here is my hijack log again after all recommended steps u provided

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:07 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\WINDOWS\system32\nvsvc32.exe
e:\WINDOWS\system32\ZuneBusEnum.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Zune\ZuneLauncher .exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui .exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\PeerGuardian2\pg2 .exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\AIM6\aim6 .exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\AIM6\aolsoftware.exe
E:\Documents and Settings\Joe\Desktop\VundoFix.exe
E:\WINDOWS\system32\msiexec.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Documents and Settings\Joe\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F3 - REG:win.ini: load=E:\WINDOWS\system32\awvvs.exe
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "e:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [PeerGuardian] E:\Program Files\PeerGuardian2\pg2 .exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10091CC5-6F39-43A6-9827-40296B881789}: NameServer = 167.206.254.2,167.206.254.1
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5304 bytes

Edited by crossya0va, 26 December 2007 - 04:38 PM.

  • 0

#5
crossya0va
Posted 27 December 2007 - 08:33 PM

crossya0va

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Bump, any help out there? Still infected!
  • 0

#6
racenutalways
Posted 28 December 2007 - 10:05 AM

racenutalways

    Member 1K

  • Retired Staff
  • 1,675 posts
Still waiting for the combofix report I asked for.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP