Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

win32:Inject-EV[Trj] and win32:TratBHO[Trj] [RESOLVED]

Started by Night-Wish , Jan 27 2008 11:49 AM

  • This topic is locked This topic is locked

#1
Night-Wish
Posted 27 January 2008 - 11:49 AM

Night-Wish

    New Member

  • Member
  • Pip
  • 6 posts
Hi to all Geeks!

About two days ago my avast! came up with a virus warning for win32:TratBHO[Trj]. So I tried to get rid of this problem. At first I tried with Avast!, than with Ad-Aware 2007, Spybot S&D, AVG Anti-Spyware and several other similar programs...
When I thought that it was all over, theat warning re-appeared with his new "friend" win32:Inject-EV[Trj]!!!

After some browsing across the entire network, I found few solutions that might work along with this site which seems to be It!
I even found similar problem as mine - "http://www.geekstogo...j-t184460.html" ....
I even tried the next step, by runing ComboFix.

If I got this right I must now post here my ComboFix.txt ->

ComboFix 08-01-23.1C - Nighty & Soncek 2008-01-27 18:34:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.704 [GMT 1:00]
Running from: C:\Documents and Settings\Nighty & Soncek\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini2
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\opnomlj.dll
C:\WINDOWS\system32\ssprs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 18:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 15:50 . 2008-01-27 15:51 <DIR> d-------- C:\Program Files\AVG Anti-Spyware
2008-01-27 15:50 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-26 16:44 . 2008-01-26 16:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-26 14:44 . 2008-01-26 15:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-25 13:05 . 2008-01-25 13:05 1,459 --a------ C:\WINDOWS\system32\HotPlug.GIF
2008-01-23 16:55 . 2004-10-11 16:36 176,128 --a------ C:\WINDOWS\system32\nvumpu.exe
2008-01-23 16:44 . 2008-01-23 16:44 <DIR> d-------- C:\Program Files\AC3Filter
2008-01-23 16:42 . 2008-01-23 16:42 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-01-23 16:42 . 2007-08-18 08:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-01-22 14:37 . 2008-01-22 14:37 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Pro
2008-01-22 11:39 . 2008-01-22 11:40 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-01-21 19:55 . 2008-01-25 20:16 1,890 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-21 19:55 . 2008-01-25 20:16 56 -rahs---- C:\WINDOWS\system32\65A8E0D73B.sys
2008-01-21 19:37 . 2008-01-21 19:37 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-01-21 19:29 . 2008-01-21 19:37 <DIR> d-------- C:\Program Files\Macromedia
2008-01-21 19:29 . 2008-01-21 19:35 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-01-21 19:28 . 2008-01-21 19:36 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-21 12:40 . 2008-01-23 16:26 <DIR> d-------- C:\Program Files\Essentials Codec Pack
2008-01-21 12:32 . 2008-01-21 12:32 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-21 12:17 . 2008-01-21 12:51 <DIR> d-------- C:\Program Files\BSplayer
2008-01-20 17:01 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-01-20 17:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-20 17:01 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-20 17:01 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-01-16 21:14 . 2008-01-16 21:14 1,392,304 --a------ C:\WINDOWS\system32\AutoPartNt.exe
2008-01-16 21:14 . 2008-01-16 21:15 1,024 --a------ C:\WINDOWS\system32\AutoPartNt.let
2008-01-16 20:19 . 2008-01-16 20:19 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-01-16 20:19 . 2008-01-16 20:19 <DIR> d-------- C:\Program Files\Acronis
2008-01-16 20:19 . 2008-01-16 20:19 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-01-16 14:11 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-01-16 14:11 . 2004-08-03 23:08 60,288 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-01-15 19:25 . 2008-01-16 14:07 32 --a------ C:\WINDOWS\0
2008-01-15 19:25 . 2008-01-15 19:25 0 --a------ C:\WINDOWS\system32\0
2008-01-13 20:35 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-13 20:35 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-13 20:34 . 2004-04-23 07:00 116,736 --a------ C:\WINDOWS\system32\CNMLM5y.DLL
2008-01-13 20:34 . 2004-03-11 18:06 86,016 --a------ C:\WINDOWS\system32\CNMCP5y.exe
2008-01-13 20:34 . 2004-04-23 07:00 7,680 --a------ C:\WINDOWS\system32\CNMVS5y.DLL
2008-01-13 20:32 . 2008-01-13 20:32 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-13 20:27 . 2008-01-13 20:28 <DIR> d-------- C:\Program Files\Real Alternative
2008-01-13 20:27 . 2008-01-13 20:27 <DIR> d-------- C:\Program Files\Media Player Classic
2008-01-13 20:21 . 2008-01-13 20:34 <DIR> d-------- C:\Canon iP1500
2008-01-13 20:00 . 2004-07-26 16:16 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-01-13 20:00 . 2004-07-26 16:16 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-01-13 20:00 . 2004-07-26 16:16 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-01-13 20:00 . 2004-07-09 08:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-01-13 20:00 . 2004-07-26 16:16 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-01-13 20:00 . 2005-09-01 11:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-01-13 20:00 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-13 20:00 . 2005-09-01 11:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-13 18:50 . 2008-01-13 18:50 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-12 21:44 . 2008-01-25 11:54 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-12 21:37 . 2004-10-22 11:42 919,424 --a------ C:\WINDOWS\system32\drivers\nvmcp.sys
2008-01-12 21:37 . 2004-10-22 11:41 413,824 --a------ C:\WINDOWS\system32\drivers\nvapu.sys
2008-01-12 21:37 . 2004-10-22 11:42 66,688 --a------ C:\WINDOWS\system32\drivers\nvarm.sys
2008-01-12 21:37 . 2004-10-22 11:42 53,760 --a------ C:\WINDOWS\system32\nvopenal.dll
2008-01-12 21:37 . 2004-10-22 11:38 53,376 --a------ C:\WINDOWS\system32\drivers\nvax.sys
2008-01-12 21:37 . 2004-10-11 16:37 32,256 --a------ C:\WINDOWS\system32\NVCOAD.DLL
2008-01-12 21:37 . 2004-10-22 11:42 30,208 --a------ C:\WINDOWS\system32\nvasio.dll
2008-01-12 21:37 . 2004-10-22 11:42 21,504 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-01-12 21:37 . 2004-10-22 11:42 7,680 --a------ C:\WINDOWS\system32\nvack.dll
2008-01-12 21:37 . 2004-10-22 11:42 5,120 --a------ C:\WINDOWS\system32\ALut.dll
2008-01-12 21:25 . 2008-01-12 21:25 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-12 21:23 . 2008-01-12 21:23 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-12 21:23 . 2008-01-13 20:00 <DIR> d-------- C:\Program Files\Ahead
2008-01-12 21:23 . 2001-07-06 14:41 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2008-01-12 21:23 . 2001-07-06 12:44 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2008-01-12 21:23 . 2001-07-06 18:24 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
2008-01-12 21:23 . 2006-01-12 15:40 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-12 21:23 . 2001-06-26 08:15 38,912 -ra------ C:\WINDOWS\system32\picn20.dll
2008-01-12 21:05 . 2008-01-12 21:05 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-01-12 21:05 . 2008-01-12 21:05 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-01-12 21:05 . 2008-01-12 21:05 125,690 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-12 20:57 . 2006-02-15 01:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-01-12 20:57 . 2006-02-15 01:22 142,464 --a--c--- C:\WINDOWS\system32\dllcache\aec.sys
2008-01-12 20:57 . 2006-06-14 10:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-01-12 20:57 . 2006-06-14 10:00 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-01-12 20:57 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-01-12 20:57 . 2001-08-17 14:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-01-12 20:57 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-01-12 20:57 . 2004-08-03 23:07 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2008-01-12 20:57 . 2006-06-14 09:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-01-12 20:57 . 2006-06-14 09:47 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-01-12 20:52 . 2004-10-11 16:36 176,128 --a------ C:\WINDOWS\system32\nvuaudio.exe
2008-01-12 20:52 . 2004-10-02 02:39 4,050 --a------ C:\WINDOWS\system32\nvaudio.nvu
2008-01-12 20:38 . 2008-01-12 20:38 <DIR> d-------- C:\Program Files\Webshots
2008-01-12 20:38 . 2008-01-12 20:38 1,007,104 --a------ C:\WINDOWS\system32\WEBPRO32.OCX
2008-01-12 20:38 . 2008-01-12 20:38 193,296 --a------ C:\WINDOWS\system32\MCI32.OCX
2008-01-12 17:08 . 2008-01-12 17:15 <DIR> d-------- C:\Program Files\Stellar Phoenix FAT & NTFS
2008-01-12 16:32 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-12 16:32 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-12 16:32 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-12 16:29 . 2008-01-12 16:29 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-01-12 16:29 . 2008-01-12 16:29 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-01-12 16:29 . 2008-01-12 16:29 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-01-12 16:29 . 2008-01-12 16:29 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-01-12 16:29 . 2008-01-12 17:13 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-01-12 16:29 . 2008-01-12 17:15 87 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-01-12 15:26 . 2008-01-24 22:26 <DIR> d-------- C:\Program Files\eMule

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 18:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 18:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-21 11:20 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-11 18:24 --------- d-----w C:\Program Files\Gigabyte
2008-01-11 18:06 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-11 18:01 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{415D402F-A6FC-4CA2-927B-2323BAAFB966}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-01-13 05:36 83456]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Gmail Notifier\gnotify.exe" [2005-07-15 22:48 479232]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"nForce Tray Options"="sstray.exe" [2003-04-07 10:51 73728 C:\WINDOWS\system32\sstray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 08:47 67072 C:\WINDOWS\soundman.exe]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 19:53 2209224]
"RegistryMechanic"="" []
"!AVG Anti-Spyware"="C:\Program Files\AVG Anti-Spyware\avgas.exe" [2007-06-11 10:25 6731312]

C:\Documents and Settings\Nighty & Soncek\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2008-01-12 20:38:51 63064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnomlj]

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 01:56]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0c146c2-c075-11dc-bccb-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 02:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
"2008-01-26 14:18:23 C:\WINDOWS\Tasks\SpywareRemover Scheduled Scan.job"
- C:\Program Files\SpywareRemover\SpywareRemover.ex
- C:\Program Files\SpywareRemover
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 18:37:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 18:39:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 17:39:09
.
2008-01-14 19:19:10 --- E O F ---



And new (after the ComboFix) hijackthis.txt ->

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:41:22, on 27.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG Anti-Spyware\guard.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVG Anti-Spyware\avgas.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://klik.nlb.si/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live - Pomoc pri vpisu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Color Calibration.lnk = ?
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware\guard.exe

--
End of file - 5526 bytes


Somehow you're my last line of defence, so please help.
Any advice would be more than helpfull!!

Edited by Night-Wish, 02 February 2008 - 05:28 AM.

  • 0

Advertisements

#2
Rorschach112
Posted 02 February 2008 - 09:07 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Delete your version of ComboFix.exe and the folder C:\qoobox then do this

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
Night-Wish
Posted 02 February 2008 - 11:31 AM

Night-Wish

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey... Thank you for taking time!

So this is the latest report. Below are my ComboFix.txt and Hijackthis.txt.
Since the last post I've been playing with my computer and I must say that there were no Avast virus alerts since... Did I do anything or did Avast just gave up? :)

ComboFix 08-02.02.5 - Nighty & Soncek 2008-02-02 18:17:01.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.773 [GMT 1:00]
Running from: C:\Documents and Settings\Nighty & Soncek\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-01-31 11:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-31 11:48 . 2008-01-31 11:49 <DIR> d-------- C:\Program Files\Java
2008-01-31 11:48 . 2008-01-31 11:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-30 10:12 . 2008-01-30 10:12 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-30 10:12 . 2008-01-30 10:14 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-30 10:12 . 2008-01-30 10:14 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-30 10:12 . 2008-01-30 10:14 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-28 21:37 . 2008-01-28 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-27 20:59 . 2008-01-27 20:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-27 15:50 . 2008-01-27 20:59 <DIR> d-------- C:\Program Files\AVG Anti-Spyware
2008-01-27 15:50 . 2008-01-27 15:50 <DIR> d-------- C:\Documents and Settings\Nighty & Soncek\Application Data\Grisoft
2008-01-27 15:50 . 2008-01-27 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-27 15:50 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-26 15:18 . 2008-01-26 15:18 <DIR> d-------- C:\Documents and Settings\Nighty & Soncek\Application Data\SpywareRemover
2008-01-26 14:48 . 2008-01-26 14:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-26 14:44 . 2008-01-28 22:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-26 14:44 . 2008-01-28 22:48 <DIR> d-------- C:\Documents and Settings\Nighty & Soncek\Application Data\SUPERAntiSpyware.com
2008-01-25 13:05 . 2008-01-25 13:05 1,459 --a------ C:\WINDOWS\system32\HotPlug.GIF
2008-01-23 16:55 . 2004-10-11 16:36 176,128 --a------ C:\WINDOWS\system32\nvumpu.exe
2008-01-23 16:44 . 2008-01-23 16:44 <DIR> d-------- C:\Program Files\AC3Filter
2008-01-23 16:42 . 2008-01-23 16:42 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-01-23 16:42 . 2007-08-18 08:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-01-22 14:37 . 2008-01-22 14:37 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Pro
2008-01-22 11:59 . 2008-01-22 13:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-22 11:40 . 2008-01-22 12:53 <DIR> d-------- C:\Documents and Settings\Nighty & Soncek\Application Data\RegClean
2008-01-22 11:39 . 2008-01-22 11:40 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-01-21 19:57 . 2008-01-21 19:57 <DIR> d-------- C:\Documents and Settings\Nighty & Soncek\Application Data\Corel
2008-01-21 19:55 . 2008-01-25 20:16 1,890 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-21 19:55 . 2008-01-25 20:16 56 -rahs---- C:\WINDOWS\system32\65A8E0D73B.sys
2008-01-21 19:37 . 2008-01-21 19:37 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-01-21 19:29 . 2008-01-21 19:37 <DIR> d-------- C:\Program Files\Macromedia
2008-01-21 19:29 . 2008-01-21 19:35 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-01-21 19:28 . 2008-01-21 19:36 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-21 19:23 . 2008-01-21 19:23 <DIR> d--h----- C:\Documents and Settings\Nighty & Soncek\InstallAnywhere
2008-01-21 12:40 . 2008-01-23 16:26 <DIR> d-------- C:\Program Files\Essentials Codec Pack
2008-01-21 12:40 . 2008-01-21 12:40 <DIR> d-------- C:\Documents and Settings\Nighty & Soncek\Application Data\Media Player Classic
2008-01-21 12:32 . 2008-01-21 12:32 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-21 12:17 . 2008-01-21 12:51 <DIR> d-------- C:\Program Files\BSplayer
2008-01-20 17:01 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-01-20 17:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-20 17:01 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-20 17:01 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-01-16 21:14 . 2008-01-16 21:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-01-16 21:14 . 2008-01-16 21:14 1,392,304 --a------ C:\WINDOWS\system32\AutoPartNt.exe
2008-01-16 21:14 . 2008-01-16 21:15 1,024 --a------ C:\WINDOWS\system32\AutoPartNt.let
2008-01-16 20:19 . 2008-01-16 20:19 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-01-16 14:11 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-01-16 14:11 . 2004-08-03 23:08 60,288 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-01-15 19:31 . 2008-01-16 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-15 19:25 . 2008-01-16 14:07 32 --a------ C:\WINDOWS\0
2008-01-15 19:25 . 2008-01-15 19:25 0 --a------ C:\WINDOWS\system32\0
2008-01-13 20:35 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-13 20:35 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-13 20:34 . 2004-04-23 07:00 116,736 --a------ C:\WINDOWS\system32\CNMLM5y.DLL
2008-01-13 20:34 . 2004-03-11 18:06 86,016 --a------ C:\WINDOWS\system32\CNMCP5y.exe
2008-01-13 20:34 . 2004-04-23 07:00 7,680 --a------ C:\WINDOWS\system32\CNMVS5y.DLL
2008-01-13 20:32 . 2008-01-13 20:32 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-13 20:32 . 2008-01-13 20:32 <DIR> d-------- C:\Program Files\Zone Labs
2008-01-13 20:27 . 2008-01-13 20:28 <DIR> d-------- C:\Program Files\Real Alternative
2008-01-13 20:27 . 2008-01-13 20:27 <DIR> d-------- C:\Program Files\Media Player Classic
2008-01-13 20:21 . 2008-01-13 20:34 <DIR> d-------- C:\Canon iP1500
2008-01-13 20:00 . 2004-07-26 16:16 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-01-13 20:00 . 2004-07-26 16:16 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-01-13 20:00 . 2004-07-26 16:16 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-01-13 20:00 . 2004-07-09 08:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-01-13 20:00 . 2004-07-26 16:16 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-01-13 20:00 . 2005-09-01 11:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-01-13 20:00 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-13 20:00 . 2005-09-01 11:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-13 18:50 . 2008-01-13 18:50 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-12 21:44 . 2008-01-31 20:34 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-12 21:37 . 2004-10-22 11:42 919,424 --a------ C:\WINDOWS\system32\drivers\nvmcp.sys
2008-01-12 21:37 . 2004-10-22 11:41 413,824 --a------ C:\WINDOWS\system32\drivers\nvapu.sys
2008-01-12 21:37 . 2004-10-22 11:42 66,688 --a------ C:\WINDOWS\system32\drivers\nvarm.sys
2008-01-12 21:37 . 2004-10-22 11:42 53,760 --a------ C:\WINDOWS\system32\nvopenal.dll
2008-01-12 21:37 . 2004-10-22 11:38 53,376 --a------ C:\WINDOWS\system32\drivers\nvax.sys
2008-01-12 21:37 . 2004-10-11 16:37 32,256 --a------ C:\WINDOWS\system32\NVCOAD.DLL
2008-01-12 21:37 . 2004-10-22 11:42 30,208 --a------ C:\WINDOWS\system32\nvasio.dll
2008-01-12 21:37 . 2004-10-22 11:42 21,504 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-01-12 21:37 . 2004-10-22 11:42 7,680 --a------ C:\WINDOWS\system32\nvack.dll
2008-01-12 21:37 . 2004-10-22 11:42 5,120 --a------ C:\WINDOWS\system32\ALut.dll
2008-01-12 21:27 . 2008-01-13 20:01 <DIR> d-------- C:\Documents and Settings\Nighty & Soncek\Application Data\Ahead
2008-01-12 21:25 . 2008-01-12 21:25 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-12 21:23 . 2008-01-12 21:23 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-12 21:23 . 2008-01-13 20:00 <DIR> d-------- C:\Program Files\Ahead
2008-01-12 21:23 . 2001-07-06 14:41 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2008-01-12 21:23 . 2001-07-06 12:44 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2008-01-12 21:23 . 2001-07-06 18:24 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
2008-01-12 21:23 . 2006-01-12 15:40 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-12 21:23 . 2001-06-26 08:15 38,912 -ra------ C:\WINDOWS\system32\picn20.dll
2008-01-12 21:05 . 2008-01-12 21:05 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-01-12 21:05 . 2008-01-12 21:05 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-01-12 21:05 . 2008-01-12 21:05 125,690 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-12 20:57 . 2006-02-15 01:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-01-12 20:57 . 2006-02-15 01:22 142,464 --a--c--- C:\WINDOWS\system32\dllcache\aec.sys
2008-01-12 20:57 . 2006-06-14 10:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-01-12 20:57 . 2006-06-14 10:00 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-01-12 20:57 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-01-12 20:57 . 2001-08-17 14:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-01-12 20:57 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 18:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 18:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-21 11:20 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-11 18:24 --------- d-----w C:\Program Files\Gigabyte
2008-01-11 18:01 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-01-13 05:36 83456]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Gmail Notifier\gnotify.exe" [2005-07-15 22:48 479232]
"nForce Tray Options"="sstray.exe" [2003-04-07 10:51 73728 C:\WINDOWS\system32\sstray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 08:47 67072 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

C:\Documents and Settings\Nighty & Soncek\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2008-01-12 20:38:51 63064]

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 01:56]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0c146c2-c075-11dc-bccb-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 02:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
"2008-01-26 14:18:23 C:\WINDOWS\Tasks\SpywareRemover Scheduled Scan.job"
- C:\Program Files\SpywareRemover\SpywareRemover.ex
- C:\Program Files\SpywareRemover
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 18:18:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 18:18:40
.
2008-01-14 19:19:10 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:19, on 2008-02-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\AVG Anti-Spyware\avgas.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://klik.nlb.si/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live - Pomoc pri vpisu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Color Calibration.lnk = ?
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware\guard.exe

--
End of file - 5133 bytes


  • 0

#4
Rorschach112
Posted 02 February 2008 - 01:01 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

No need to put the logs in quote boxes


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
E:\setup.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0c146c2-c075-11dc-bccb-806d6172696f}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#5
Night-Wish
Posted 02 February 2008 - 02:59 PM

Night-Wish

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK, Kaspersky has finished scanning...

I made a tiny mistake by closing the scan window, so i saved only a ".html" version of scan report and now I'm too lazy to do the 1 hour scan all over again. I hope this will do... (see the attachment)

Oh, about the quote boxes... I think I have a slight "OCD" (I just like to have things in order)... So you can imagine what means to me if something isn't right with my computer :) :)

Attached Files


  • 0

#6
Rorschach112
Posted 03 February 2008 - 10:50 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok we are nearly done

Delete this file in bold

H:\UPORABNI PROGRAMI v2.0\Nero-6.6.1.15a.exe


Then post a new HijackThis log and tell me how your PC is running

Edited by Rorschach112, 03 February 2008 - 10:50 AM.

  • 0

#7
Night-Wish
Posted 03 February 2008 - 02:50 PM

Night-Wish

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK... File deleted and here is the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:48, on 2008-02-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\AVG Anti-Spyware\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\AVG Anti-Spyware\avgas.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://klik.nlb.si/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live - Pomoc pri vpisu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Color Calibration.lnk = ?
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware\guard.exe

--
End of file - 5233 bytes


  • 0

#8
Rorschach112
Posted 03 February 2008 - 03:57 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

You can delete the tools that we used


Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#9
Night-Wish
Posted 04 February 2008 - 01:58 AM

Night-Wish

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Well, computer seems to clean now :) I can't thank You enough for Your patience...!!

Keep up the "G2g" work, the World needs unselfish people like you!

Thanks, bye!
  • 0

#10
Rorschach112
Posted 04 February 2008 - 07:29 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP