Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

braviax virus HT log [RESOLVED]

Started by Lovltn848 , Feb 16 2008 02:54 PM

  • This topic is locked This topic is locked

#1
Lovltn848
Posted 16 February 2008 - 02:54 PM

Lovltn848

    Member

  • Member
  • PipPipPip
  • 237 posts
I thought I deleted the braviax file but I'm still having issues. Avast keeps popping up and saying I have viruses with filenames like D:\windows\drivers\beep.sys and d:\windows\system32\dllcache\beep.sys. When I went in and tried to delete them I got messages saying I can't delete the file.


Logfile of HijackThis v1.99.1
Scan saved at 1:52:08 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Tiny Personal Firewall\persfw.exe
G:\IObit SmartDefrag\IObit SmartDefrag.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\system32\braviax.exe
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\oodm.exe
D:\WINDOWS\System32\HPZipm12.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\svchost.exe
G:\SlimBrowser\sbrowser.exe
D:\Documents and Settings\Lauren\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmartDefrag] "G:\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = G:\Microsoft Office PRO\Office10\OSA.EXE
O4 - Global Startup: oodm.exe
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - D:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...e/w4sgeen10.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay11...es/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188675217674
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - D:\Program Files\Tiny Personal Firewall\persfw.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - G:\XBox 360 Controller\pinnacle_updater.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)
  • 0

Advertisements

#2
JSntgRvr
Posted 16 February 2008 - 04:00 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, Lovltn848 :)

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
Lovltn848
Posted 16 February 2008 - 04:33 PM

Lovltn848

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 237 posts
Combofix

ComboFix 08-02-17.2 - Lauren 2008-02-16 15:25:04.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.98 [GMT -7:00]
Running from: G:\Incomplete\Temporary Internet Files\Content.IE5\CAWNGDAV\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\winupdates
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 15:28 . 2008-02-17 15:28 <DIR> d-------- D:\WINDOWS\system32\LogFiles
2008-02-16 15:16 . 2008-02-16 15:16 30,720 --a------ D:\WINDOWS\system32\dllcache\figaro.sys
2008-02-16 15:01 . 2008-02-16 15:01 <DIR> d--hs---- D:\FOUND.006
2008-02-16 14:45 . 2008-02-16 14:45 <DIR> d-------- D:\WINDOWS\ERUNT
2008-02-16 14:37 . 2008-02-13 13:22 <DIR> d-------- D:\SDFix
2008-02-16 14:06 . 2008-02-16 14:06 <DIR> d--hs---- D:\FOUND.005
2008-02-16 12:32 . 2008-02-16 12:32 <DIR> d--hs---- D:\FOUND.003
2008-02-16 12:20 . 2008-02-16 12:20 <DIR> d--hs---- D:\FOUND.002
2008-02-16 12:09 . 2008-02-16 12:09 <DIR> d--hs---- D:\FOUND.001
2008-02-14 19:22 . 2008-02-14 19:22 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-02-14 19:22 . 2008-02-14 19:22 1,409 --a------ D:\WINDOWS\QTFont.for
2008-02-08 17:33 . 2008-02-08 17:33 <DIR> d-------- D:\Program Files\MSECache
2008-02-05 19:47 . 2008-02-05 19:47 <DIR> d--hs---- D:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 07:41 --------- d-----w D:\Program Files\Apple Software Update
2007-12-21 07:39 --------- d-----w D:\Program Files\Common Files\Apple
2007-12-21 07:39 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple
2007-12-18 20:59 --------- d-----w D:\Documents and Settings\All Users\Application Data\WinZip
2007-12-18 09:51 179,584 ----a-w D:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w D:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-17 01:46 --------- d-----w D:\Documents and Settings\All Users\Application Data\PopCap
2007-12-07 14:37 3,059,200 ------w D:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ------w D:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w D:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w D:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w D:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w D:\WINDOWS\system32\AVASTSS.scr
2006-12-21 19:59 20 ---h--w D:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\System32\NvCpl.dll" [2006-09-18 13:25 7630848]
"NvMediaCenter"="D:\WINDOWS\System32\NvMcTray.dll" [2006-09-18 13:25 86016]
"SmartDefrag"="G:\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-01-09 10:46 3957760]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00 79224]
"iTunesHelper"="G:\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - G:\Microsoft Office PRO\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
oodm.exe [2008-02-16 12:00:34 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= D:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [2003-06-12 13:42 102400]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=D:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^Lauren^Start Menu^Programs^Startup^lsas.exe]
path=D:\Documents and Settings\Lauren\Start Menu\Programs\Startup\lsas.exe
backup=D:\WINDOWS\pss\lsas.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atwtusb]
--a------ 2005-09-21 18:08 290816 D:\WINDOWS\system32\Atwtusb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
D:\WINDOWS\system32\braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 D:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-09-18 13:25 1519616 D:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-09 23:02 282624 G:\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCScheduleCheck]
--a------ 2003-06-09 16:45 151552 D:\Program Files\VCOM\Recovery Commander\RCSCHED.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]
--a------ 2007-01-09 10:46 3957760 G:\IObit SmartDefrag\IObit SmartDefrag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-10-12 03:10 49263 D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

R1 aiptektp;HyperPen;D:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]
R1 fwdrv;Tiny Personal Firewall Driver;D:\WINDOWS\system32\Drivers\fwdrv.sys [2001-10-22 17:54]
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;D:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 19:50]
S3 utblfilt;utblfilt;D:\WINDOWS\system32\drivers\utblfilt.sys [2001-05-23 15:42]

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-02-10 14:05:02 D:\WINDOWS\Tasks\Scheduled Checkpoint.job"
- D:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE
"2008-02-14 10:20:08 D:\WINDOWS\Tasks\RegCure.job"
- G:\RegCure\RegCure.exe
"2008-02-16 22:17:02 D:\WINDOWS\Tasks\SmartDefrag.job"
- G:\IObit SmartDefrag\schedule.exe-
"2008-02-16 22:13:54 D:\WINDOWS\Tasks\RegCure Program Check.job"
- G:\RegCure\RegCure.exe
"2008-02-15 05:45:24 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 15:28:17
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 15:30:17
ComboFix-quarantined-files.txt 2008-02-17 22:30:10
.
2008-02-14 10:14:54 --- E O F ---


HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 3:33:24 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\HPZipm12.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\WINDOWS\system32\wscntfy.exe
G:\IObit SmartDefrag\IObit SmartDefrag.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\System32\msiexec.exe
G:\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\oodm.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\kmd.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
G:\SlimBrowser\sbrowser.exe
D:\Documents and Settings\Lauren\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmartDefrag] "G:\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = G:\Microsoft Office PRO\Office10\OSA.EXE
O4 - Global Startup: oodm.exe
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - D:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...e/w4sgeen10.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay11...es/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188675217674
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - D:\Program Files\Tiny Personal Firewall\persfw.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - G:\XBox 360 Controller\pinnacle_updater.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)
  • 0

#4
JSntgRvr
Posted 16 February 2008 - 06:14 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, Lovltn848 :)

I can only see a remnant of the infection, figaro.sys. The rest are empty entries. Lets try this fix:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::D:\windows\drivers\beep.sysD:\windows\system32\dllcache\beep.sysD:\windows\drivers\figaro.sysD:\WINDOWS\system32\dllcache\figaro.sysRegistry::[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a fresh Hijackhis log.

Edited by JSntgRvr, 16 February 2008 - 06:14 PM.

  • 0

#5
Lovltn848
Posted 16 February 2008 - 06:24 PM

Lovltn848

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 237 posts
hmm..combofix ran off of my browser, I don't think it downloaded a program or anything.

edit: okay I found combofix[1].exe, but the text file can't be dragged or pasted into it.

Edited by Lovltn848, 16 February 2008 - 06:37 PM.

  • 0

#6
JSntgRvr
Posted 16 February 2008 - 06:47 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Please download ComboFix from Here or Here to your Desktop.

It must be saved on your desktop.

Download the enclosed file.

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a fresh Hijackthis log.

Edited by JSntgRvr, 16 February 2008 - 06:47 PM.

  • 0

#7
Lovltn848
Posted 16 February 2008 - 06:53 PM

Lovltn848

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 237 posts
alright, got it now. so I need to run combofix to get another log to post, right?
  • 0

#8
Lovltn848
Posted 16 February 2008 - 07:29 PM

Lovltn848

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 237 posts
Okay, I'm back to square one. I tried to run the ComboFix again and when it was almost finished, my computer shut down. The virus has disabled my antivirus and I'm getting the red circle with the white x saying "your computer is at risk" etc. The moment that thing pops up, my computer shuts down again.

I tried to run ComboFix in safe mode but it doesn't work. :)

Also, when I go to Run>msconfig>startup I still have the breviax thing. when I try to uncheck it I get an error saying I need administrator access to do that.

I am going to run SDFix in safe mode. Would you like a log of that?

Edited by Lovltn848, 16 February 2008 - 07:43 PM.

  • 0

#9
JSntgRvr
Posted 16 February 2008 - 07:59 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
I can't help you if you run tools on your own. There is no need to run SDFix.

All I asked you was to download Combofix and save it to your desktop, then download CFScript.txt and drag it into Combo fix. I am sure you did not followed the instructions, as the CFScript.txt has not been downloaded yet.

When running Combofix all Real Time Protection must be disable.

Please remove the current copy of Combofix and download a new one, then follow the instructions on my previous post.
  • 0

#10
Lovltn848
Posted 16 February 2008 - 08:10 PM

Lovltn848

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 237 posts
I saved the text on my own before you posted the file of the same thing. Yes, I did that, then I assumed I needed to run combofix again to get another log to post for you. I ran it again and that's when my computer started to continuously restart itself again. I had to run sdfix in order to get my computer to stop restarting itself, and that worked.

Now...after I drag and drop into the new combofix, how do I post another report?

Edited by Lovltn848, 16 February 2008 - 08:13 PM.

  • 0

Advertisements

#11
JSntgRvr
Posted 16 February 2008 - 08:25 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

I saved the text on my own before you posted the file of the same thing. Yes, I did that, then I assumed I needed to run combofix again to get another log to post for you. I ran it again and that's when my computer started to continuously restart itself again. I had to run sdfix in order to get my computer to stop restarting itself, and that worked.

Now...after I drag and drop into the new combofix, how do I post another report?

It will popup at the end of the scan.
  • 0

#12
Lovltn848
Posted 16 February 2008 - 08:27 PM

Lovltn848

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 237 posts
ok, let's try this again

Edited by Lovltn848, 16 February 2008 - 08:31 PM.

  • 0

#13
Lovltn848
Posted 16 February 2008 - 08:40 PM

Lovltn848

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 237 posts
Okay, it worked this time.

ComboFix

ComboFix 08-02-17.2 - Lauren 2008-02-17 19:31:58.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.122 [GMT -7:00]
Running from: D:\ComboFix.exe
Command switches used :: D:\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
D:\windows\drivers\beep.sys
D:\windows\drivers\figaro.sys
D:\windows\system32\dllcache\beep.sys
D:\WINDOWS\system32\dllcache\figaro.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\windows\system32\dllcache\beep.sys
D:\WINDOWS\system32\dllcache\figaro.sys

.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-17 19:10 . 2008-02-17 19:10 1,597,661 --a------ D:\ComboFix.exe
2008-02-17 18:35 . 2008-02-17 18:35 <DIR> d--hs---- D:\FOUND.008
2008-02-17 18:12 . 2008-02-17 18:12 <DIR> d--hs---- D:\FOUND.007
2008-02-17 18:06 . 2008-02-13 13:20 4,224 --a------ D:\WINDOWS\system32\drivers\beep.sys
2008-02-17 15:28 . 2008-02-17 15:28 <DIR> d-------- D:\WINDOWS\system32\LogFiles
2008-02-16 15:01 . 2008-02-16 15:01 <DIR> d--hs---- D:\FOUND.006
2008-02-16 14:45 . 2008-02-16 14:45 <DIR> d-------- D:\WINDOWS\ERUNT
2008-02-16 14:37 . 2008-02-13 13:22 <DIR> d-------- D:\SDFix
2008-02-16 14:06 . 2008-02-16 14:06 <DIR> d--hs---- D:\FOUND.005
2008-02-16 12:32 . 2008-02-16 12:32 <DIR> d--hs---- D:\FOUND.003
2008-02-16 12:20 . 2008-02-16 12:20 <DIR> d--hs---- D:\FOUND.002
2008-02-16 12:09 . 2008-02-16 12:09 <DIR> d--hs---- D:\FOUND.001
2008-02-08 17:33 . 2008-02-08 17:33 <DIR> d-------- D:\Program Files\MSECache
2008-02-05 19:47 . 2008-02-05 19:47 <DIR> d--hs---- D:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 07:41 --------- d-----w D:\Program Files\Apple Software Update
2007-12-21 07:39 --------- d-----w D:\Program Files\Common Files\Apple
2007-12-21 07:39 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple
2007-12-18 20:59 --------- d-----w D:\Documents and Settings\All Users\Application Data\WinZip
2007-12-18 09:51 179,584 ----a-w D:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w D:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-07 14:37 3,059,200 ------w D:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ------w D:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w D:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w D:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w D:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w D:\WINDOWS\system32\AVASTSS.scr
2006-12-21 19:59 20 ---h--w D:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\System32\NvCpl.dll" [2006-09-18 13:25 7630848]
"NvMediaCenter"="D:\WINDOWS\System32\NvMcTray.dll" [2006-09-18 13:25 86016]
"SmartDefrag"="G:\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-01-09 10:46 3957760]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00 79224]
"iTunesHelper"="G:\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - G:\Microsoft Office PRO\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
oodm.exe [2008-02-16 12:00:34 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= D:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [2003-06-12 13:42 102400]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=D:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^Lauren^Start Menu^Programs^Startup^lsas.exe]
path=D:\Documents and Settings\Lauren\Start Menu\Programs\Startup\lsas.exe
backup=D:\WINDOWS\pss\lsas.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atwtusb]
--a------ 2005-09-21 18:08 290816 D:\WINDOWS\system32\Atwtusb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 D:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-09-18 13:25 1519616 D:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-09 23:02 282624 G:\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCScheduleCheck]
--a------ 2003-06-09 16:45 151552 D:\Program Files\VCOM\Recovery Commander\RCSCHED.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]
--a------ 2007-01-09 10:46 3957760 G:\IObit SmartDefrag\IObit SmartDefrag.exe

R1 aiptektp;HyperPen;D:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]
R1 fwdrv;Tiny Personal Firewall Driver;D:\WINDOWS\system32\Drivers\fwdrv.sys [2001-10-22 17:54]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;D:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 19:50]
S3 utblfilt;utblfilt;D:\WINDOWS\system32\drivers\utblfilt.sys [2001-05-23 15:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-10 14:05:02 D:\WINDOWS\Tasks\Scheduled Checkpoint.job"
- D:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE
"2008-02-14 10:20:08 D:\WINDOWS\Tasks\RegCure.job"
- G:\RegCure\RegCure.exe
"2008-02-18 01:52:30 D:\WINDOWS\Tasks\SmartDefrag.job"
- G:\IObit SmartDefrag\schedule.exe-
"2008-02-18 01:20:30 D:\WINDOWS\Tasks\RegCure Program Check.job"
- G:\RegCure\RegCure.exe
"2008-02-15 05:45:24 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 19:35:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 19:36:58
ComboFix-quarantined-files.txt 2008-02-18 02:36:54
ComboFix2.txt 2008-02-17 22:30:20
.
2008-02-14 10:14:54 --- E O F ---

hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 7:40:16 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\HPZipm12.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
G:\IObit SmartDefrag\IObit SmartDefrag.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\oodm.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Tiny Personal Firewall\PERSFW.EXE
G:\SlimBrowser\sbrowser.exe
D:\Documents and Settings\Lauren\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmartDefrag] "G:\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = G:\Microsoft Office PRO\Office10\OSA.EXE
O4 - Global Startup: oodm.exe
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - D:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...e/w4sgeen10.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay11...es/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188675217674
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - D:\Program Files\Tiny Personal Firewall\persfw.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - G:\XBox 360 Controller\pinnacle_updater.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)
  • 0

#14
JSntgRvr
Posted 16 February 2008 - 08:48 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
After completing this task, please download the enclosed folder. Save and extract its contents to he desktop. It is a batch file, Filelist.bat. Once extracted, doubleclick on the Filelist.bat. A report will be produced. Since the size of this report will be huge, please attach the report to a reply, rather than pasting its contents.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel find the Attachments Panel
  • Click on Browse and locate the file and click on it
  • Click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#15
Lovltn848
Posted 16 February 2008 - 08:50 PM

Lovltn848

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 237 posts
Ugh..I'm so sorry. I have another obstacle. I don't have Winzip and I can't afford to buy it.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP