Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rootkit.tncore/trace removal [RESOLVED]


  • This topic is locked This topic is locked

#1
Dinamo

Dinamo

    New Member

  • Member
  • Pip
  • 4 posts
I can't get rid of this pest. I' ve tried Spybot, Adawere, Spywere doctor, SUPERAntiSpyware, Avg antispywere, Sdfix...Some of them deleted core.cache.dsk, but it was always back infected after rebooting...


I would really appreciate some help. :)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:30, on 30.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Last.fm\LastFMHelper.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forum.hr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = D:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4101BDD-0F34-4B82-9585-23301212D5F6}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Security Service (OSCO) - Unknown owner - D:\WINDOWS\system32\svcd\svchost.exe (file missing)

--
End of file - 7532 bytes
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
Dinamo

Dinamo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you for you time, miekiemoes!

Here are the logs:


ComboFix 08-01-31.1 - hrvoje 2008-01-30 21:10:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.243 [GMT 1:00]
Running from: D:\Documents and Settings\hrvoje\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-26 12:05 . 2008-01-26 12:05 <DIR> d-------- D:\Program Files\Trend Micro
2008-01-26 00:47 . 2008-01-26 02:08 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2008-01-26 00:26 . 2008-01-30 00:57 167,545 --a------ D:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-25 23:42 . 2008-01-30 00:26 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-01-25 23:42 . 2008-01-25 23:42 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\SUPERAntiSpyware.com
2008-01-25 23:42 . 2008-01-25 23:42 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-25 23:32 . 2008-01-25 23:32 <DIR> d-------- D:\WINDOWS\ERUNT
2008-01-25 21:57 . 2008-01-25 23:18 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-25 20:40 . 2008-01-25 20:40 <DIR> d-------- D:\Program Files\BitTorrent
2008-01-23 11:23 . 2008-01-23 11:23 <DIR> d-------- D:\Program Files\Lavasoft
2008-01-23 11:23 . 2008-01-23 11:23 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 11:22 . 2008-01-25 23:42 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 10:56 . 2008-01-23 10:56 <DIR> d-------- D:\Program Files\FileASSASSIN
2008-01-21 21:21 . 2005-09-23 07:29 626,688 --a------ D:\WINDOWS\system32\msvcr80.dll
2008-01-21 16:14 . 2006-10-26 19:56 32,592 --a------ D:\WINDOWS\system32\msonpmon.dll
2008-01-21 16:12 . 2008-01-21 16:12 <DIR> d-------- D:\Program Files\Microsoft Works
2008-01-21 16:11 . 2008-01-21 16:11 <DIR> d-------- D:\Program Files\MSBuild
2008-01-21 16:08 . 2008-01-21 16:08 <DIR> d-------- D:\Program Files\Microsoft.NET
2008-01-21 16:05 . 2008-01-21 16:05 <DIR> d-------- D:\Program Files\Microsoft Visual Studio 8
2008-01-21 16:04 . 2008-01-21 16:10 <DIR> d-------- D:\WINDOWS\SHELLNEW
2008-01-21 16:03 . 2008-01-21 16:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-21 16:02 . 2008-01-21 16:02 <DIR> dr-h----- D:\MSOCache
2008-01-21 00:09 . 2008-01-21 00:30 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-01-20 23:50 . 2008-01-21 00:18 3,262 --a------ D:\WINDOWS\system32\sex5.ico
2008-01-20 23:49 . 2008-01-21 00:17 3,262 --a------ D:\WINDOWS\system32\sex4.ico
2008-01-20 23:49 . 2008-01-21 00:17 3,262 --a------ D:\WINDOWS\system32\sex3.ico
2008-01-20 23:48 . 2008-01-21 00:16 3,262 --a------ D:\WINDOWS\system32\sex2.ico
2008-01-20 23:48 . 2008-01-21 00:19 3,262 --a------ D:\WINDOWS\system32\sex1.ico
2008-01-20 23:00 . 2008-01-20 23:00 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\Grisoft
2008-01-20 23:00 . 2007-05-30 13:10 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-20 22:09 . 2008-01-20 22:09 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-01-20 22:09 . 2008-01-20 22:09 1,409 --a------ D:\WINDOWS\QTFont.for
2008-01-14 10:52 . 2008-01-14 11:36 <DIR> d-------- D:\Documents and Settings\hrvoje\.housecall6.6
2008-01-13 13:44 . 2008-01-13 13:44 86,144 --a------ D:\WINDOWS\system32\drivers\hidparsee.sys
2008-01-12 11:25 . 2008-01-12 11:25 <DIR> d-------- D:\Program Files\TVUPlayer
2008-01-10 11:04 . 2008-01-10 11:04 <DIR> d-------- D:\WINDOWS\Sun
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ D:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ D:\WINDOWS\bdoscandellang.ini
2008-01-07 14:21 . 2008-01-07 14:21 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ATI
2008-01-07 14:18 . 2007-12-05 14:17 593,920 --------- D:\WINDOWS\system32\ati2sgag.exe
2008-01-07 14:17 . 2008-01-07 14:19 <DIR> d-------- D:\Program Files\ATI Technologies
2008-01-07 13:23 . 2008-01-07 13:23 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ESET
2008-01-07 13:17 . 2008-01-07 13:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avg7
2008-01-03 11:49 . 2008-01-25 22:59 101 --a------ D:\WINDOWS\WININIT.INI
2008-01-01 12:51 . 2008-01-01 12:51 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\ACD Systems
2008-01-01 12:47 . 2008-01-01 12:47 <DIR> d-------- D:\Program Files\Common Files\ACD Systems
2008-01-01 12:47 . 2008-01-01 12:47 <DIR> d-------- D:\Program Files\ACD Systems
2008-01-01 12:47 . 2008-01-01 12:47 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ACD Systems
2008-01-01 12:44 . 2008-01-01 12:47 10,368 --a------ D:\WINDOWS\system32\drivers\pfc.sys
2007-12-29 12:30 . 2008-01-20 00:43 <DIR> d-------- D:\Program Files\eMule
2007-12-29 01:24 . 2007-12-29 12:25 <DIR> d-------- D:\Program Files\DC++
2007-12-26 12:57 . 2007-12-26 12:57 <DIR> d--hs---- D:\found.003
2007-12-21 08:21 . 2007-12-21 08:21 33,800 --a------ D:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 08:20 . 2007-12-21 08:20 30,216 --a------ D:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 08:19 . 2007-12-21 08:19 39,944 --a------ D:\WINDOWS\system32\drivers\eamon.sys
2007-12-20 16:51 . 2007-12-20 16:51 <DIR> d--hs---- D:\found.002
2007-12-18 21:13 . 2008-01-12 11:28 <DIR> d-------- D:\Program Files\TVAnts
2007-12-15 12:43 . 2007-12-15 12:43 1,158 --a------ D:\WINDOWS\mozver.dat
2007-12-14 11:32 . 2007-12-14 11:32 12,632 --a------ D:\WINDOWS\system32\lsdelete.exe
2007-12-13 22:23 . 2007-12-13 22:23 0 --a------ D:\WINDOWS\nsreg.dat
2007-12-11 13:29 . 2007-12-11 13:53 <DIR> d-------- D:\WINDOWS\system32\rserver30
2007-12-11 00:08 . 2008-01-07 13:46 <DIR> d----c--- D:\WINDOWS\system32\DRVSTORE
2007-12-11 00:07 . 2008-01-07 13:47 <DIR> d-------- D:\Program Files\RALINK
2007-12-10 00:47 . 2007-12-10 00:48 <DIR> d-------- D:\Program Files\Common Files\Adobe
2007-12-09 12:15 . 2008-01-13 13:43 <DIR> d-------- D:\Program Files\Webteh
2007-12-09 12:15 . 2008-01-13 13:46 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\BSplayer Pro
2007-12-09 12:15 . 2007-12-09 12:24 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\BSplayer
2007-12-09 12:12 . 2007-12-01 00:00 60,273 --a------ D:\WINDOWS\system32\pthreadGC2.dll
2007-12-08 07:50 . 2007-12-08 07:50 <DIR> d--hs---- D:\found.001
2007-12-07 18:22 . 2008-01-01 12:45 <DIR> d-------- D:\WINDOWS\Downloaded Installations
2007-12-07 18:22 . 2007-12-07 18:22 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\Sierra Wireless
2007-12-07 18:11 . 2007-08-24 18:26 183,312 --a------ D:\WINDOWS\system32\CoreAVCDecoder.ax
2007-12-07 17:29 . 2007-12-07 17:29 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\Radmin
2007-12-06 17:00 . 2007-12-06 17:00 <DIR> d--hs---- D:\found.000
2007-12-05 04:05 . 2007-12-05 04:05 368,640 --a------ D:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:56 . 2007-12-05 03:56 147,456 --a------ D:\WINDOWS\system32\atipdlxx.dll
2007-12-05 03:55 . 2007-12-05 03:55 122,880 --a------ D:\WINDOWS\system32\Oemdspif.dll
2007-12-05 03:55 . 2007-12-05 03:55 122,880 --a------ D:\WINDOWS\system32\ati2evxx.dll
2007-12-05 03:55 . 2007-12-05 03:55 43,520 --a------ D:\WINDOWS\system32\ati2edxx.dll
2007-12-05 03:55 . 2007-12-05 03:55 26,112 --a------ D:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 03:54 . 2007-12-05 03:54 307,200 --a------ D:\WINDOWS\system32\atiiiexx.dll
2007-12-05 03:53 . 2007-12-05 03:53 495,616 --a------ D:\WINDOWS\system32\ati2evxx.exe
2007-12-05 03:53 . 2007-12-05 03:53 53,248 --a------ D:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 03:48 . 2007-12-05 03:48 9,535,488 --a------ D:\WINDOWS\system32\atioglx2.dll
2007-12-05 03:33 . 2007-12-05 03:33 3,107,788 --a------ D:\WINDOWS\system32\ativvaxx.dat
2007-12-05 03:33 . 2007-12-05 03:33 3,107,788 --a------ D:\WINDOWS\system32\ativva5x.dat
2007-12-05 03:33 . 2007-12-05 03:33 887,724 --a------ D:\WINDOWS\system32\ativva6x.dat
2007-12-05 03:19 . 2007-12-05 03:19 5,435,392 --a------ D:\WINDOWS\system32\atioglxx.dll
2007-12-05 03:19 . 2007-12-05 03:19 385,024 --a------ D:\WINDOWS\system32\atikvmag.dll
2007-12-05 03:17 . 2007-12-05 03:17 17,408 --a------ D:\WINDOWS\system32\atitvo32.dll
2007-12-05 03:16 . 2007-12-05 03:16 49,152 --a------ D:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 03:14 . 2007-12-05 03:14 180,224 --a------ D:\WINDOWS\system32\atiok3x2.dll
2007-12-03 21:49 . 2001-08-17 14:02 9,600 --a------ D:\WINDOWS\system32\drivers\hidusb.sys
2007-12-03 21:49 . 2001-08-17 14:02 9,600 --a--c--- D:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-03 12:42 . 2007-12-03 12:42 <DIR> d-------- D:\Program Files\KONAMI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 21:48 --------- d-----w D:\Documents and Settings\hrvoje\Application Data\BitTorrent
2008-01-25 19:50 --------- d-----w D:\Documents and Settings\hrvoje\Application Data\BitTorrent DNA
2008-01-18 11:19 --------- d-----w D:\Program Files\Google
2008-01-07 13:19 --------- d-----w D:\Program Files\Common Files\InstallShield
2008-01-07 12:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-06 15:28 --------- d-----w D:\Program Files\SopCast
2008-01-04 11:18 --------- d-----w D:\Program Files\Last.fm
2007-12-26 16:45 --------- d-----w D:\Documents and Settings\hrvoje\Application Data\SopCast
2007-12-14 10:23 --------- d-----w D:\Program Files\OpenOffice.org 2.3
2007-12-10 23:07 --------- d--h--w D:\Program Files\InstallShield Installation Information
2007-12-07 21:14 --------- d-----w D:\Documents and Settings\hrvoje\Application Data\OpenOffice.org2
2007-12-05 19:17 7,680 ----a-w D:\WINDOWS\system32\ff_vfw.dll
2007-12-05 05:26 2,782,208 ----a-w D:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:04 269,312 ----a-w D:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:44 3,175,584 ----a-w D:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w D:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:11 499,712 ----a-w D:\WINDOWS\system32\ati2cqag.dll
2007-12-01 14:00 --------- d-----w D:\Program Files\DAEMON Tools
2007-11-28 23:10 --------- d-----w D:\Documents and Settings\hrvoje\Application Data\Ahead
2007-11-12 23:57 218,624 ----a-w D:\WINDOWS\system32\uxtheme.dll
2007-11-10 00:22 499,712 ----a-w D:\WINDOWS\system32\msvcp71.dll
2007-11-10 00:22 348,160 ----a-w D:\WINDOWS\system32\msvcr71.dll
2007-11-08 00:10 107,888 ----a-w D:\WINDOWS\system32\CmdLineExt.dll
2007-10-29 22:35 1,287,680 ----a-w D:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720 ----a-w D:\WINDOWS\system32\wmasf.dll
2007-10-10 23:47 825,344 ----a-w D:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"NBJ"="D:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 13:27 2048000]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [2007-09-20 06:50 1694208]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"StormCodec_Helper"="D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-26 19:30 97357]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 D:\WINDOWS\system32\bthprops.cpl]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"egui"="D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"googletalk"="D:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22 3739648]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"GrooveMonitor"="D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

D:\Documents and Settings\hrvoje\Start Menu\Programs\Startup\
Last.fm Helper.lnk - D:\Program Files\Last.fm\LastFMHelper.exe [2007-11-24 21:32:38 106496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-02-24 12:21]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 12:37]
R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R1 hidparsee;hidparsee;D:\WINDOWS\system32\drivers\hidparsee.sys [2008-01-13 13:44]
S2 OSCO;Security Service;D:\WINDOWS\system32\svcd\svchost.exe []
S3 mirrorv3;mirrorv3;D:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 05:01]
S3 SWUMX20;Sierra Wireless USB MUX Driver (UMTS20);D:\WINDOWS\system32\DRIVERS\swumx20.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 21:13:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Last.fm\LastFMHelper.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2008-01-31 21:14:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 20:14:15
ComboFix2.txt 2008-01-25 23:15:42
.
2008-01-04 12:08:01 --- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:15:42, on 31.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Last.fm\LastFMHelper.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forum.hr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = D:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4101BDD-0F34-4B82-9585-23301212D5F6}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Security Service (OSCO) - Unknown owner - D:\WINDOWS\system32\svcd\svchost.exe (file missing)

--
End of file - 7559 bytes
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
D:\WINDOWS\system32\drivers\core.cache.dsk
D:\WINDOWS\system32\drivers\hidparsee.sys
D:\WINDOWS\WININIT.INI

Driver::
hidparsee
OSCO


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

By the way, do you know these icons?

D:\WINDOWS\system32\sex5.ico
D:\WINDOWS\system32\sex4.ico
D:\WINDOWS\system32\sex3.ico
D:\WINDOWS\system32\sex2.ico
D:\WINDOWS\system32\sex1.ico

If not, delete them...
  • 0

#5
Dinamo

Dinamo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I have deleted the sex icons, don't know what they were. :)

ComboFix 08-01-31.1 - hrvoje 2008-01-31 21:40:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.206 [GMT 1:00]
Running from: D:\Documents and Settings\hrvoje\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\hrvoje\Desktop\CFScript.txt
* Created a new restore point

FILE
D:\WINDOWS\system32\drivers\core.cache.dsk
D:\WINDOWS\system32\drivers\hidparsee.sys
D:\WINDOWS\WININIT.INI
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\drivers\core.cache.dsk
D:\WINDOWS\system32\drivers\hidparsee.sys
D:\WINDOWS\system32\drivers\core.cache.dsk
D:\WINDOWS\system32\drivers\hidparsee.sys
D:\WINDOWS\WININIT.INI

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_HIDPARSEE
-------\LEGACY_OSCO
-------\hidparsee
-------\OSCO


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-26 12:05 . 2008-01-26 12:05 <DIR> d-------- D:\Program Files\Trend Micro
2008-01-26 00:47 . 2008-01-26 02:08 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2008-01-25 23:42 . 2008-01-30 00:26 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-01-25 23:42 . 2008-01-25 23:42 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\SUPERAntiSpyware.com
2008-01-25 23:42 . 2008-01-25 23:42 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-25 23:32 . 2008-01-25 23:32 <DIR> d-------- D:\WINDOWS\ERUNT
2008-01-25 21:57 . 2008-01-25 23:18 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-25 20:40 . 2008-01-25 20:40 <DIR> d-------- D:\Program Files\BitTorrent
2008-01-23 11:23 . 2008-01-23 11:23 <DIR> d-------- D:\Program Files\Lavasoft
2008-01-23 11:23 . 2008-01-23 11:23 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 11:22 . 2008-01-25 23:42 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 10:56 . 2008-01-23 10:56 <DIR> d-------- D:\Program Files\FileASSASSIN
2008-01-21 21:21 . 2005-09-23 07:29 626,688 --a------ D:\WINDOWS\system32\msvcr80.dll
2008-01-21 16:14 . 2006-10-26 19:56 32,592 --a------ D:\WINDOWS\system32\msonpmon.dll
2008-01-21 16:12 . 2008-01-21 16:12 <DIR> d-------- D:\Program Files\Microsoft Works
2008-01-21 16:11 . 2008-01-21 16:11 <DIR> d-------- D:\Program Files\MSBuild
2008-01-21 16:08 . 2008-01-21 16:08 <DIR> d-------- D:\Program Files\Microsoft.NET
2008-01-21 16:05 . 2008-01-21 16:05 <DIR> d-------- D:\Program Files\Microsoft Visual Studio 8
2008-01-21 16:04 . 2008-01-21 16:10 <DIR> d-------- D:\WINDOWS\SHELLNEW
2008-01-21 16:03 . 2008-01-21 16:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-21 16:02 . 2008-01-21 16:02 <DIR> dr-h----- D:\MSOCache
2008-01-21 00:09 . 2008-01-21 00:30 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-01-20 23:00 . 2008-01-20 23:00 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\Grisoft
2008-01-20 23:00 . 2007-05-30 13:10 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-20 22:09 . 2008-01-20 22:09 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-01-20 22:09 . 2008-01-20 22:09 1,409 --a------ D:\WINDOWS\QTFont.for
2008-01-14 10:52 . 2008-01-14 11:36 <DIR> d-------- D:\Documents and Settings\hrvoje\.housecall6.6
2008-01-12 11:25 . 2008-01-12 11:25 <DIR> d-------- D:\Program Files\TVUPlayer
2008-01-10 11:04 . 2008-01-10 11:04 <DIR> d-------- D:\WINDOWS\Sun
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ D:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ D:\WINDOWS\bdoscandellang.ini
2008-01-07 14:21 . 2008-01-07 14:21 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ATI
2008-01-07 14:18 . 2007-12-05 14:17 593,920 --------- D:\WINDOWS\system32\ati2sgag.exe
2008-01-07 14:17 . 2008-01-07 14:19 <DIR> d-------- D:\Program Files\ATI Technologies
2008-01-07 13:23 . 2008-01-07 13:23 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ESET
2008-01-07 13:17 . 2008-01-07 13:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avg7
2008-01-01 12:51 . 2008-01-01 12:51 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\ACD Systems
2008-01-01 12:47 . 2008-01-01 12:47 <DIR> d-------- D:\Program Files\Common Files\ACD Systems
2008-01-01 12:47 . 2008-01-01 12:47 <DIR> d-------- D:\Program Files\ACD Systems
2008-01-01 12:47 . 2008-01-01 12:47 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ACD Systems
2008-01-01 12:44 . 2008-01-01 12:47 10,368 --a------ D:\WINDOWS\system32\drivers\pfc.sys
2007-12-29 12:30 . 2008-01-20 00:43 <DIR> d-------- D:\Program Files\eMule
2007-12-29 01:24 . 2007-12-29 12:25 <DIR> d-------- D:\Program Files\DC++
2007-12-26 12:57 . 2007-12-26 12:57 <DIR> d--hs---- D:\found.003
2007-12-21 08:21 . 2007-12-21 08:21 33,800 --a------ D:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 08:20 . 2007-12-21 08:20 30,216 --a------ D:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 08:19 . 2007-12-21 08:19 39,944 --a------ D:\WINDOWS\system32\drivers\eamon.sys
2007-12-20 16:51 . 2007-12-20 16:51 <DIR> d--hs---- D:\found.002
2007-12-18 21:13 . 2008-01-12 11:28 <DIR> d-------- D:\Program Files\TVAnts
2007-12-15 12:43 . 2007-12-15 12:43 1,158 --a------ D:\WINDOWS\mozver.dat
2007-12-14 11:32 . 2007-12-14 11:32 12,632 --a------ D:\WINDOWS\system32\lsdelete.exe
2007-12-13 22:23 . 2007-12-13 22:23 0 --a------ D:\WINDOWS\nsreg.dat
2007-12-11 13:29 . 2007-12-11 13:53 <DIR> d-------- D:\WINDOWS\system32\rserver30
2007-12-11 00:08 . 2008-01-07 13:46 <DIR> d----c--- D:\WINDOWS\system32\DRVSTORE
2007-12-11 00:07 . 2008-01-07 13:47 <DIR> d-------- D:\Program Files\RALINK
2007-12-10 00:47 . 2007-12-10 00:48 <DIR> d-------- D:\Program Files\Common Files\Adobe
2007-12-09 12:15 . 2008-01-13 13:43 <DIR> d-------- D:\Program Files\Webteh
2007-12-09 12:15 . 2008-01-13 13:46 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\BSplayer Pro
2007-12-09 12:15 . 2007-12-09 12:24 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\BSplayer
2007-12-09 12:12 . 2007-12-01 00:00 60,273 --a------ D:\WINDOWS\system32\pthreadGC2.dll
2007-12-08 07:50 . 2007-12-08 07:50 <DIR> d--hs---- D:\found.001
2007-12-07 18:22 . 2008-01-01 12:45 <DIR> d-------- D:\WINDOWS\Downloaded Installations
2007-12-07 18:22 . 2007-12-07 18:22 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\Sierra Wireless
2007-12-07 18:11 . 2007-08-24 18:26 183,312 --a------ D:\WINDOWS\system32\CoreAVCDecoder.ax
2007-12-07 17:29 . 2007-12-07 17:29 <DIR> d-------- D:\Documents and Settings\hrvoje\Application Data\Radmin
2007-12-06 17:00 . 2007-12-06 17:00 <DIR> d--hs---- D:\found.000
2007-12-05 04:05 . 2007-12-05 04:05 368,640 --a------ D:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:56 . 2007-12-05 03:56 147,456 --a------ D:\WINDOWS\system32\atipdlxx.dll
2007-12-05 03:55 . 2007-12-05 03:55 122,880 --a------ D:\WINDOWS\system32\Oemdspif.dll
2007-12-05 03:55 . 2007-12-05 03:55 122,880 --a------ D:\WINDOWS\system32\ati2evxx.dll
2007-12-05 03:55 . 2007-12-05 03:55 43,520 --a------ D:\WINDOWS\system32\ati2edxx.dll
2007-12-05 03:55 . 2007-12-05 03:55 26,112 --a------ D:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 03:54 . 2007-12-05 03:54 307,200 --a------ D:\WINDOWS\system32\atiiiexx.dll
2007-12-05 03:53 . 2007-12-05 03:53 495,616 --a------ D:\WINDOWS\system32\ati2evxx.exe
2007-12-05 03:53 . 2007-12-05 03:53 53,248 --a------ D:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 03:48 . 2007-12-05 03:48 9,535,488 --a------ D:\WINDOWS\system32\atioglx2.dll
2007-12-05 03:33 . 2007-12-05 03:33 3,107,788 --a------ D:\WINDOWS\system32\ativvaxx.dat
2007-12-05 03:33 . 2007-12-05 03:33 3,107,788 --a------ D:\WINDOWS\system32\ativva5x.dat
2007-12-05 03:33 . 2007-12-05 03:33 887,724 --a------ D:\WINDOWS\system32\ativva6x.dat
2007-12-05 03:19 . 2007-12-05 03:19 5,435,392 --a------ D:\WINDOWS\system32\atioglxx.dll
2007-12-05 03:19 . 2007-12-05 03:19 385,024 --a------ D:\WINDOWS\system32\atikvmag.dll
2007-12-05 03:17 . 2007-12-05 03:17 17,408 --a------ D:\WINDOWS\system32\atitvo32.dll
2007-12-05 03:16 . 2007-12-05 03:16 49,152 --a------ D:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 03:14 . 2007-12-05 03:14 180,224 --a------ D:\WINDOWS\system32\atiok3x2.dll
2007-12-03 21:49 . 2001-08-17 14:02 9,600 --a------ D:\WINDOWS\system32\drivers\hidusb.sys
2007-12-03 21:49 . 2001-08-17 14:02 9,600 --a--c--- D:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-03 12:42 . 2007-12-03 12:42 <DIR> d-------- D:\Program Files\KONAMI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 21:48 --------- d-----w D:\Documents and Settings\hrvoje\Application Data\BitTorrent
2008-01-25 19:50 --------- d-----w D:\Documents and Settings\hrvoje\Application Data\BitTorrent DNA
2008-01-18 11:19 --------- d-----w D:\Program Files\Google
2008-01-07 13:19 --------- d-----w D:\Program Files\Common Files\InstallShield
2008-01-07 12:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-06 15:28 --------- d-----w D:\Program Files\SopCast
2008-01-04 11:18 --------- d-----w D:\Program Files\Last.fm
2007-12-26 16:45 --------- d-----w D:\Documents and Settings\hrvoje\Application Data\SopCast
2007-12-14 10:23 --------- d-----w D:\Program Files\OpenOffice.org 2.3
2007-12-10 23:07 --------- d--h--w D:\Program Files\InstallShield Installation Information
2007-12-07 21:14 --------- d-----w D:\Documents and Settings\hrvoje\Application Data\OpenOffice.org2
2007-12-05 19:17 7,680 ----a-w D:\WINDOWS\system32\ff_vfw.dll
2007-12-05 05:26 2,782,208 ----a-w D:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:04 269,312 ----a-w D:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:44 3,175,584 ----a-w D:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w D:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:11 499,712 ----a-w D:\WINDOWS\system32\ati2cqag.dll
2007-12-01 14:00 --------- d-----w D:\Program Files\DAEMON Tools
2007-11-28 23:10 --------- d-----w D:\Documents and Settings\hrvoje\Application Data\Ahead
2007-11-12 23:57 218,624 ----a-w D:\WINDOWS\system32\uxtheme.dll
2007-11-10 00:22 499,712 ----a-w D:\WINDOWS\system32\msvcp71.dll
2007-11-10 00:22 348,160 ----a-w D:\WINDOWS\system32\msvcr71.dll
2007-11-08 00:10 107,888 ----a-w D:\WINDOWS\system32\CmdLineExt.dll
2007-10-29 22:35 1,287,680 ----a-w D:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720 ----a-w D:\WINDOWS\system32\wmasf.dll
2007-10-10 23:47 825,344 ----a-w D:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"NBJ"="D:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 13:27 2048000]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [2007-09-20 06:50 1694208]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"StormCodec_Helper"="D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-26 19:30 97357]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 D:\WINDOWS\system32\bthprops.cpl]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"egui"="D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"googletalk"="D:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22 3739648]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"GrooveMonitor"="D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

D:\Documents and Settings\hrvoje\Start Menu\Programs\Startup\
Last.fm Helper.lnk - D:\Program Files\Last.fm\LastFMHelper.exe [2007-11-24 21:32:38 106496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-02-24 12:21]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 12:37]
R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
S3 mirrorv3;mirrorv3;D:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 05:01]
S3 SWUMX20;Sierra Wireless USB MUX Driver (UMTS20);D:\WINDOWS\system32\DRIVERS\swumx20.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 21:43:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Last.fm\LastFMHelper.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
.
**************************************************************************
.
Completion time: 2008-01-31 21:44:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 20:44:08
ComboFix2.txt 2008-01-31 20:14:24
ComboFix3.txt 2008-01-25 23:15:42
.
2008-01-04 12:08:01 --- E O F ---







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:47:55, on 31.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Last.fm\LastFMHelper.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forum.hr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = D:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4101BDD-0F34-4B82-9585-23301212D5F6}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

--
End of file - 7462 bytes
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This looks OK again. :)

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#7
Dinamo

Dinamo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi,

It's looking great! My browser is back to normal, and no more pop-ups!

Thank you very much miekiemoes, you've been a great help. :)
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#9
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP