Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Rootkit.agent (core.cache.dsk) infected pls help

Started by Sam_ , Jan 18 2008 08:28 AM

Please log in to reply

#1
Sam_

Posted 18 January 2008 - 08:28 AM

New Member

Member
6 posts

Hi guys

my pc is dual boot system , I can boot into win2k or winxp ,

Drive c in windows 2000 and D: is XP .

Iv been using xp mostly and Sometime bout 2 weeks ago I think it got infected with Rootkit.agent .

Originally there was 2 files core.sys and core.cache.dsk , but iv been unable to remove the latter .

everytime i delete it under safe mode it reappears when i reboot .

I have AvG antispyware , And avg antivirus and firewall
And spydoctor .

Spydoctor is the one that found it , It says removed succesfully but on every rescan it reappears .

here is my logs

first Hijack this Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:01, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\EMS Free Surfer Companion\fs30.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\HijackThis\HijackThis.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DrvLsnr] D:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [freesurfer] D:\Program Files\EMS Free Surfer Companion\fs30.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\EMS Free Surfer Companion\FS30.exe
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5284 bytes

uninstall list

dobe Flash Player ActiveX
Adobe Reader 8.1.1
Apple Software Update
AVG 7.5
AVG Anti-Spyware 7.5
Azureus
Battlefield 2™
Battlefield 2: Special Forces
BitLord 1.1
DivX Codec
DivX Content Uploader
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Electronics Assistant V4.1
EMS Free Surfer Companion 1.3.0.0
Foxit PDF Editor
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Japanese Fonts Support For Adobe Reader 8
Kaspersky Online Scanner
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
mIRC
MSN
Navilog1 3.4.0
Nero 7 Demo
NETGEAR WG111v2 wireless USB 2.0 adapter
NVIDIA Drivers
ObjMon 1.00
PDFCreator PL 0.8.0
QuickTime
RootKit Hook Analyzer 3.02
Scope
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
SoundMAX
Spyware Doctor 5.5
SUPERAntiSpyware Free Edition
TMD Recruit Pack
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Xvid 1.1.3 final uninstall

-------

combofix Log

ComboFix 08-01-18.4 - Sam 2008-01-19 1:04:26.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1641 [GMT 11:00]
Running from: D:\apps\ComboFixnew.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-19 01:07 . 2008-01-19 01:07 932 --------- D:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-19 00:59 . 2008-01-19 01:00 1,760 --a------ D:\WINDOWS\system32\ikhcore.cfg
2008-01-18 23:03 . 2008-01-18 23:05 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-01-18 23:03 . 2008-01-18 23:03 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 23:03 . 2008-01-18 23:03 <DIR> d-------- D:\Documents and Settings\Sam\Application Data\SUPERAntiSpyware.com
2008-01-18 23:03 . 2008-01-18 23:03 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-18 22:03 . 2002-11-15 18:36 40,960 --a------ D:\XP_FixLogon.exe
2008-01-18 04:23 . 2008-01-18 04:23 106 --a------ D:\delete.bat
2008-01-18 01:03 . 2008-01-18 01:03 <DIR> d-------- D:\WINDOWS\srchasst
2008-01-18 00:50 . 2008-01-18 00:50 5,922,347 --a------ D:\WINDOWS\bak.rar
2008-01-17 23:43 . 2008-01-19 01:03 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-01-17 10:40 . 2008-01-18 05:24 <DIR> d-------- D:\Program Files\Navilog1
2008-01-17 09:00 . 2008-01-19 01:01 <DIR> d-------- D:\HijackThis
2008-01-17 08:43 . 2008-01-17 08:43 <DIR> d-------- D:\WINDOWS\ERUNT
2008-01-17 07:48 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-17 07:26 . 2008-01-17 07:26 <DIR> d-------- D:\VundoFix Backups
2008-01-17 07:20 . 2008-01-17 07:20 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-01-17 07:07 . 2008-01-17 07:07 <DIR> d-------- D:\Program Files\ObjMon
2008-01-17 07:04 . 2008-01-18 04:40 <DIR> d-------- D:\Program Files\RootKit Hook Analyzer
2008-01-17 07:04 . 2008-01-17 09:45 19,248 --a------ D:\WINDOWS\system32\drivers\rspsc32.sys
2008-01-17 03:17 . 2008-01-18 22:29 <DIR> d-------- D:\Program Files\Spyware Doctor
2008-01-17 03:17 . 2008-01-17 03:17 <DIR> d-------- D:\Documents and Settings\Sam\Application Data\PC Tools
2008-01-17 03:17 . 2007-12-10 14:53 81,288 --a------ D:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-17 03:17 . 2007-12-10 14:53 66,952 --a------ D:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-17 03:17 . 2007-12-10 14:53 41,864 --a------ D:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-17 03:17 . 2008-01-17 09:46 29,576 --a------ D:\WINDOWS\system32\drivers\kcom.sys
2008-01-16 17:31 . 2008-01-18 05:38 0 --a------ D:\WINDOWS\wininit.ini
2008-01-16 05:21 . 2008-01-16 17:31 <DIR> d-------- D:\Program Files\BulletProofSoft.com
2008-01-16 02:18 . 2008-01-16 02:18 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SITEguard
2008-01-16 02:17 . 2008-01-16 02:17 <DIR> d-------- D:\Program Files\Common Files\iS3
2008-01-16 01:04 . 2008-01-16 21:23 <DIR> d-------- D:\Program Files\EMS Free Surfer Companion
2008-01-15 17:53 . 2006-09-06 03:03 3,968 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-14 22:23 . 2008-01-14 22:23 86,144 --a------ D:\WINDOWS\system32\drivers\diskdumpp.sys
2008-01-11 20:53 . 2008-01-11 20:53 <DIR> d-------- D:\Documents and Settings\Sam\Application Data\Ahead
2008-01-11 20:52 . 2008-01-11 20:52 <DIR> d-------- D:\Program Files\Nero
2008-01-11 20:52 . 2008-01-11 20:52 <DIR> d-------- D:\Program Files\Common Files\Ahead
2007-12-29 15:23 . 2007-12-29 15:23 <DIR> d-------- D:\Program Files\Common Files\Adobe
2007-12-20 22:06 . 2007-12-20 22:06 <DIR> d-------- D:\Program Files\Scope
2007-12-20 22:06 . 2007-12-20 22:06 <DIR> d-------- D:\Program Files\National Instruments
2007-12-19 21:22 . 2007-12-19 21:22 <DIR> d-------- D:\Program Files\Electronics 2000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 12:28 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-01-17 19:41 4,649 ----a-w D:\WINDOWS\system32\drivers\hijackthis.log
2008-01-15 18:12 --------- d-----w D:\Documents and Settings\Sam\Application Data\AVG7
2008-01-15 18:00 --------- d-----w D:\Documents and Settings\All Users\Application Data\avg7
2008-01-15 07:06 --------- d-----w D:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-08 03:34 --------- d-----w D:\Program Files\Cool PDF Reader
2007-12-08 03:27 --------- d-----w D:\Program Files\PDFCreator PL
2007-12-08 03:27 --------- d-----w D:\Documents and Settings\Sam\Application Data\PDFCreator
2007-12-02 15:15 --------- d-----w D:\Documents and Settings\Sam\Application Data\Apple Computer
.

((((((((((((((((((((((((((((( snapshot@2008-01-17_ 8.10.20.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 21:04:19 229,376 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 14:04:08 229,376 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 21:04:19 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 14:04:08 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 21:04:19 229,376 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 14:04:09 229,376 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 21:04:19 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 14:04:09 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 21:04:19 4,984,832 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 14:04:09 5,144,576 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-16 21:04:19 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 14:04:09 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 07:29:08 163,328 ----a-w D:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-16 23:04:50 5,009,408 ----a-w D:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-01-16 23:04:50 8,192 ----a-w D:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-15 07:29:08 163,328 ----a-w D:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-16 21:43:41 4,997,120 ----a-w D:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-01-16 21:43:42 8,192 ----a-w D:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-01-18 12:03:45 29,696 ----a-r D:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-18 12:03:45 18,944 ----a-r D:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-18 12:03:45 65,024 ----a-r D:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-01-18 11:25:41 6,008 ----a-w D:\WINDOWS\SoftwareDistribution\EventCache\{E565A5DB-F167-4C61-95AA-133E3D35BC3A}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 21:48 157592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="D:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"PHIME2002ASync"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"DrvLsnr"="D:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 13:34 69632]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 17:55 579072]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-11-10 19:51 286720]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-01-15 18:03 6731312]
"freesurfer"="D:\Program Files\EMS Free Surfer Companion\fs30.exe" [2005-02-15 14:43 929792]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2006-08-12 00:43 7630848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-12 04:51 219136]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - D:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 17:05:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 diskdumpp;diskdumpp;D:\WINDOWS\system32\drivers\diskdumpp.sys [2008-01-14 22:23]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;D:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 18:53]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{535aaaa1-4281-11dc-b70b-00184db41f0a}]
\Shell\AutoRun\command - F:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-10 23:52:01 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 01:08:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 1:10:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 14:10:40
ComboFix2.txt 2008-01-17 18:49:40
ComboFix3.txt 2008-01-17 17:59:33
ComboFix4.txt 2008-01-17 01:02:38
ComboFix5.txt 2008-01-16 23:33:01
.
2008-01-15 11:44:25 --- E O F ---

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/19/2008 at 00:44 AM

Application Version : 3.9.1008

Core Rules Database Version : 3382
Trace Rules Database Version: 1376

Scan type : Complete Scan
Total Scan Time : 01:35:37

Memory items scanned : 415
Memory threats detected : 0
Registry items scanned : 4646
Registry threats detected : 0
File items scanned : 69816
File threats detected : 4

RootKit.TnCore/Trace
D:\WINDOWS\system32\drivers\core.cache.dsk

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt

-----

Help getting rid of this is appreciated .

It seems most virus , antispy, Malware. adware removers cant get rid of this one .

Thanks in advance

Also what registry cleaner do you guys advise to use ?
Sam
ps ive also trid spybot search and destroy . and nolop

#2
Sam_

Posted 18 January 2008 - 08:36 AM

New Member

Topic Starter
Member
6 posts

I have attached here WinPFind3.Txt in zip format as it was over 500k and is too large .

Sam
Ps Ive also tried smitfraudfix

WinPFind3.zip 51.69KB 264 downloads

Edited by Sam_, 18 January 2008 - 08:39 AM.

#3
Sam_

Posted 18 January 2008 - 08:57 AM

New Member

Topic Starter
Member
6 posts

heres DSS log

Deckard's System Scanner v20071014.68
Run by Sam on 2008-01-19 01:52:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
5: 2008-01-18 14:52:56 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2008-01-18 14:04:05 UTC - RP4 - ComboFix created restore point
3: 2008-01-18 12:27:52 UTC - RP3 - Removed The Matrix - Path of Neo
2: 2008-01-18 12:03:41 UTC - RP2 - Installed SUPERAntiSpyware Free Edition
1: 2008-01-17 12:46:48 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

System Drive D: has 1.03 GiB (less than 15%) free.

-- HijackThis (run as Sam.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:53, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\EMS Free Surfer Companion\fs30.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\apps\dss.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\HIJACK~1\Sam.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DrvLsnr] D:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [freesurfer] D:\Program Files\EMS Free Surfer Companion\fs30.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\EMS Free Surfer Companion\FS30.exe
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5428 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 diskdumpp - d:\windows\system32\drivers\diskdumpp.sys
R1 SASDIFSV - d:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - d:\program files\superantispyware\saskutil.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - d:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R3 SASENUM - d:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 InCDPass - d:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - d:\windows\system32\drivers\incdrm.sys (file missing)
S3 catchme - d:\docume~1\sam\locals~1\temp\catchme.sys (file missing)
S3 GMSIPCI - e:\install\gmsipci.sys (file missing)
S3 MSICPL - e:\install4\msicpl.sys (file missing)
S3 NTACCESS - e:\ntaccess.sys (file missing)
S3 SABProcEnum - d:\program files\internet explorer\sabprocenum.sys (file missing)
S3 SetupNTGLM7X - e:\ntglm7x.sys (file missing)
S4 InCDFs (InCD File System) - d:\windows\system32\drivers\incdfs.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_16A6&SUBSYS_00CC103C&REV_02\4&25296D99&0&10F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_16A6&SUBSYS_00CC103C&REV_02\4&25296D99&0&10F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Video Controller
Device ID: PCI\VEN_109E&DEV_036E&SUBSYS_00000000&REV_11\4&25296D99&0&58F0
Manufacturer:
Name: Multimedia Video Controller
PNP Device ID: PCI\VEN_109E&DEV_036E&SUBSYS_00000000&REV_11\4&25296D99&0&58F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_109E&DEV_0878&SUBSYS_00000000&REV_11\4&25296D99&0&59F0
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_109E&DEV_0878&SUBSYS_00000000&REV_11\4&25296D99&0&59F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SCSI Controller
Device ID: PCI\VEN_9005&DEV_801F&SUBSYS_00CC103C&REV_03\4&25296D99&0&60F0
Manufacturer:
Name: SCSI Controller
PNP Device ID: PCI\VEN_9005&DEV_801F&SUBSYS_00CC103C&REV_03\4&25296D99&0&60F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SCSI Controller
Device ID: PCI\VEN_9005&DEV_801F&SUBSYS_00CC103C&REV_03\4&25296D99&0&61F0
Manufacturer:
Name: SCSI Controller
PNP Device ID: PCI\VEN_9005&DEV_801F&SUBSYS_00CC103C&REV_03\4&25296D99&0&61F0
Service:

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&36B16CB7&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&36B16CB7&0
Service: i8042prt

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&36B16CB7&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&36B16CB7&0
Service: i8042prt

-- Scheduled Tasks -------------------------------------------------------------

2008-01-11 10:52:01 284 --a------ D:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-12-19 and 2008-01-19 -----------------------------

2008-01-18 23:03:47 0 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-18 23:03:42 0 d-------- D:\Program Files\SUPERAntiSpyware
2008-01-18 23:03:42 0 d-------- D:\Documents and Settings\Sam\Application Data\SUPERAntiSpyware.com
2008-01-18 23:03:25 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 22:06:39 0 d-------- D:\WINDOWS\CSC
2008-01-18 22:03:54 40960 --a------ D:\XP_FixLogon.exe <Not Verified; Doug Knox; FixWinXPLogon>
2008-01-18 04:23:59 106 --a------ D:\delete.bat
2008-01-18 01:03:31 0 d-------- D:\WINDOWS\srchasst
2008-01-17 23:43:38 0 d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-01-17 10:40:16 0 d-------- D:\Program Files\Navilog1
2008-01-17 09:00:48 0 d-------- D:\HijackThis <HIJACK~1>
2008-01-17 08:43:31 0 d-------- D:\WINDOWS\ERUNT
2008-01-17 07:26:37 0 d-------- D:\VundoFix Backups
2008-01-17 07:20:39 0 d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-01-17 07:07:42 0 d-------- D:\Program Files\ObjMon
2008-01-17 07:04:50 0 d-------- D:\Program Files\RootKit Hook Analyzer
2008-01-17 03:17:21 0 d-------- D:\Program Files\Spyware Doctor
2008-01-17 03:17:21 0 d-------- D:\Documents and Settings\Sam\Application Data\PC Tools
2008-01-16 22:26:38 0 dr------- D:\Documents and Settings\LocalService\Favorites
2008-01-16 05:24:33 10752 --a------ D:\WINDOWS\system32\md5.dll <Not Verified; ; MD5 Maker>
2008-01-16 05:21:32 0 d-------- D:\Program Files\BulletProofSoft.com
2008-01-16 02:31:31 0 d-------- D:\Documents and Settings\NetworkService\Desktop
2008-01-16 02:18:29 0 d-------- D:\Documents and Settings\All Users\Application Data\SITEguard
2008-01-16 02:17:38 0 d-------- D:\Program Files\Common Files\iS3
2008-01-16 01:04:55 0 d-------- D:\Program Files\EMS Free Surfer Companion
2008-01-15 22:39:41 0 d-------- D:\WINDOWS\network diagnostic
2008-01-14 22:23:28 86144 --a------ D:\WINDOWS\system32\drivers\diskdumpp.sys
2008-01-11 20:53:19 0 d-------- D:\Documents and Settings\Sam\Application Data\Ahead
2008-01-11 20:52:09 0 d-------- D:\Program Files\Nero
2008-01-11 20:52:09 0 d-------- D:\Program Files\Common Files\Ahead
2007-12-29 15:24:37 0 d-------- D:\Documents and Settings\Sam\Application Data\Adobe
2007-12-29 15:23:24 0 d-------- D:\Documents and Settings\All Users\Application Data\Adobe
2007-12-29 15:23:15 0 d-------- D:\Program Files\Common Files\Adobe
2007-12-20 22:06:23 0 d-------- D:\Program Files\Scope
2007-12-20 22:06:23 0 d-------- D:\Program Files\National Instruments
2007-12-19 21:22:04 0 d-------- D:\Program Files\Electronics 2000

-- Find3M Report ---------------------------------------------------------------

2008-01-18 23:28:11 0 d--h----- D:\Program Files\InstallShield Installation Information
2008-01-18 23:03:25 0 d-------- D:\Program Files\Common Files
2008-01-16 05:12:44 0 d-------- D:\Documents and Settings\Sam\Application Data\AVG7
2007-12-08 14:34:03 0 d-------- D:\Program Files\Cool PDF Reader
2007-12-08 14:27:07 0 d-------- D:\Program Files\PDFCreator PL
2007-12-08 14:27:01 0 d-------- D:\Documents and Settings\Sam\Application Data\PDFCreator
2007-12-03 02:15:10 0 d-------- D:\Documents and Settings\Sam\Application Data\Apple Computer

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="D:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 23:00]
"PHIME2002ASync"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 23:00]
"PHIME2002A"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 23:00]
"DrvLsnr"="D:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [05/08/2003 13:34]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/21/2007 17:55]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [11/10/2007 19:51]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 19:51]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [01/15/2008 18:03]
"freesurfer"="D:\Program Files\EMS Free Surfer Companion\fs30.exe" [02/15/2005 14:43]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [08/12/2006 00:43]
"ISTray"="D:\Program Files\Spyware Doctor\pctsTray.exe" [12/10/2007 14:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [11/12/2006 21:48]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [10/28/2005 16:25]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 23:00]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 14:06]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - D:\Program Files\NETGEAR\WG111v2\WG111v2.exe [5/17/2006 5:05:52 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{535aaaa1-4281-11dc-b70b-00184db41f0a}]
AutoRun\command- F:\Autorun.exe

-- End of Deckard's System Scanner: finished at 2008-01-19 01:54:17 ------------

Sam

#4
Sam_

Posted 19 January 2008 - 03:23 AM

New Member

Topic Starter
Member
6 posts

Heres my latest hijacktis log .

as I installed advanced system optimizer , and registry mechanic

Pls Anyone pls help me .

I see this is a very busy forum and my post went back three pages in one day .
wondering if you guys ever have time to get thru them .

Sam

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:20, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.altavista.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DrvLsnr] D:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [freesurfer] D:\Program Files\EMS Free Surfer Companion\fs30.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\EMS Free Surfer Companion\FS30.exe
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4982 bytes

Thanks
Sam

#5
Sam_

Posted 20 January 2008 - 03:24 AM

New Member

Topic Starter
Member
6 posts

Anyone willing to help , comon guys pls ..

heres my latest sdfix log

SDFix: Version 1.127

Run by Sam on Sun 01/20/2008 at 19:44

Microsoft Windows XP [Version 5.1.2600]

Running From: D:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

D:\WINDOWS
No streams found.

D:\WINDOWS\system32
No streams found.

D:\WINDOWS\system32\svchost.exe
No streams found.

D:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 19:49:40
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:bed9b066
"s2"=dword:f898b573
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="D:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:9e,26,c3,7b,99,71,78,7c,59,c6,06,ec,00,be,9c,5b,c4,4d,79,b6,ea,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,56,6b,c3,25,3f,83,d9,16,42,c5,2a,bb,46,db,f3,43,18,..
"khjeh"=hex:e1,16,2a,89,e0,39,12,9e,61,e9,45,33,c6,65,72,b3,a7,d2,86,5d,df,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:64,62,03,00,30,46,39,00,40,21,26,00,68,62,69,6e,00,50,39,00,00,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="D:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:9e,26,c3,7b,99,71,78,7c,59,c6,06,ec,00,be,9c,5b,c4,4d,79,b6,ea,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,56,6b,c3,25,3f,83,d9,16,42,c5,2a,bb,46,db,f3,43,18,..
"khjeh"=hex:e1,16,2a,89,e0,39,12,9e,61,e9,45,33,c6,65,72,b3,a7,d2,86,5d,df,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:64,62,03,00,00,c6,2c,00,6c,00,70,00,88,ff,ff,ff,6e,6b,20,00,34,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"OfflineDetectionPending"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Files with Hidden Attributes:

Finished!

Thanks Sam

#6
Sam_

Posted 20 January 2008 - 10:40 AM

New Member

Topic Starter
Member
6 posts

heres a log of smitfraudfix in safe mode , comon guys , pls help ,

I dont really want to reformat ,

SmitFraudFix v2.274

Scan done at 2:43:14.50, Mon 01/21/2008
Run from D:\apps\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» D:\

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Sam

»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Sam\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\Sam\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{87248D38-B3C2-4B4C-8E76-C5FF0987174E}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{87248D38-B3C2-4B4C-8E76-C5FF0987174E}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{87248D38-B3C2-4B4C-8E76-C5FF0987174E}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Awaiting your advice .

Sam