Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Popups in Firefox [CLOSED]

Started by uzi9mm , Feb 28 2008 09:34 AM

  • This topic is locked This topic is locked

#1
uzi9mm
Posted 28 February 2008 - 09:34 AM

uzi9mm

    Member

  • Member
  • PipPip
  • 34 posts
Just yesterday I started getting popups in Firefox. I get a message displayed in the bottom right hand corner of the browser saying 'ad served by fbrowsing advisor' and then the popup opens up in another window.

I did use limewire yesterday and I'm sure it was fine before I used it, so maybe its linked to that?

Any help would be greatly appreciated.

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 15:33:17, on 28/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\service.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ContextEnhancer - {4C6C4BA2-1646-0F3A-1FAE-B393C162C92E} - C:\Program Files\ContextEnhancer\ContextEnhancer-1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [MDNS] C:\WINNT\system32\service.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA7278] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2844] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2256] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9854] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5514] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8937] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\RunOnce: [SpybotDeletingB5310] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5617] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB623] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9528] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5423] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5562] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
  • 0

Advertisements

#2
andrewuk
Posted 28 February 2008 - 03:22 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi uzi9mm

welcome to geekstogo :)

you have the start of a mass spawning vundo infection, so we will deal with that first.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

andrewuk
  • 0

#3
uzi9mm
Posted 28 February 2008 - 06:12 PM

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hi andrewuk,

Thanks for the reply.


Here is my ComboFix log:

ComboFix 08-02-25.3 - Uzi 2008-02-28 23:55:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.211 [GMT 0:00]
Running from: C:\Documents and Settings\Uzi.USMAN\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\MabryObj.dll
C:\WINNT\system32\nett12.dll
C:\WINNT\system32\service.exe
C:\WINNT\system32\winnb58.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.

2008-02-28 13:41 . 2008-02-28 13:41 396 --a------ C:\WINNT\wininit.ini
2008-02-28 12:52 . 2008-02-28 13:42 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2008-02-28 12:51 . 2008-02-28 12:45 691,545 --a------ C:\WINNT\unins000.exe
2008-02-28 12:51 . 2008-02-28 12:51 2,544 --a------ C:\WINNT\unins000.dat
2008-02-27 17:52 . 2008-02-28 23:52 <DIR> d-------- C:\Program Files\FBrowsingAdvisor
2008-02-27 17:52 . 2008-02-27 17:53 <DIR> d-------- C:\Program Files\FBrowserAdvisor
2008-02-27 17:52 . 2008-02-27 17:52 <DIR> d-------- C:\Program Files\ContextEnhancer
2008-02-26 16:10 . 2008-02-26 17:07 <DIR> d-------- C:\Program Files\Transcender
2008-02-24 14:23 . 2008-02-24 14:23 <DIR> d-------- C:\Program Files\DIFX
2008-02-24 14:23 . 2008-02-24 14:28 <DIR> d-------- C:\Documents and Settings\Uzi.USMAN\Application Data\Nokia
2008-02-24 14:23 . 2008-02-24 14:25 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\PC Suite
2008-02-24 14:22 . 2008-02-24 14:22 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-02-24 14:22 . 2008-02-24 14:22 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-02-24 14:22 . 2008-02-24 14:23 <DIR> d-------- C:\Documents and Settings\Uzi.USMAN\Application Data\PC Suite
2008-02-24 14:22 . 2007-02-22 10:15 137,216 --a------ C:\WINNT\system32\drivers\nmwcd.sys
2008-02-24 14:22 . 2007-02-22 10:15 65,536 --a------ C:\WINNT\system32\nmwcdcocls.dll
2008-02-24 14:22 . 2007-02-22 10:15 12,288 --a------ C:\WINNT\system32\drivers\nmwcdcm.sys
2008-02-24 14:22 . 2007-02-22 10:15 8,320 --a------ C:\WINNT\system32\drivers\nmwcdc.sys
2008-02-24 14:21 . 2008-02-24 14:21 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Installations
2008-02-20 21:25 . 2006-04-28 15:24 18,704 -ra------ C:\WINNT\system32\drivers\se27nd5.sys
2008-02-17 13:15 . 2008-02-17 13:15 <DIR> d-------- C:\WINNT\SHELLNEW
2008-02-15 22:48 . 2008-02-15 22:49 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-02-13 22:50 . 2008-02-18 18:54 26,984 --a------ C:\WINNT\system32\GDIPFONTCACHEV1.DAT
2008-02-13 22:49 . 2008-02-13 22:49 <DIR> d-------- C:\Program Files\Transparent
2008-02-13 22:49 . 2008-02-13 22:49 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Transparent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 21:00 --------- d-----w C:\Documents and Settings\Uzi.USMAN\Application Data\LimeWire
2008-02-28 12:55 --------- d-----w C:\Program Files\Dot1XCfg
2008-02-28 12:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-24 14:22 --------- d-----w C:\Program Files\Nokia
2008-02-24 14:22 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-17 13:16 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft Help
2008-02-13 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 11:09 --------- d-----w C:\Documents and Settings\Uzi.USMAN\Application Data\AdobeUM
2008-01-24 21:54 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Teleca
2008-01-24 21:54 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Sony Ericsson
2008-01-24 21:53 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-01-23 00:18 --------- d-----w C:\Program Files\DivX
2008-01-21 19:14 --------- d-----w C:\Program Files\Java
2008-01-10 21:58 --------- d-----w C:\Documents and Settings\Uzi.USMAN\Application Data\Grisoft
2008-01-10 21:58 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft
2008-01-10 21:41 --------- d-----w C:\Program Files\MSN Messenger
2008-01-10 21:41 --------- d-----w C:\Program Files\Athan
2008-01-10 21:36 --------- d-----w C:\Program Files\QuickTime
2008-01-10 20:41 155,648 ----a-w C:\WINNT\system32\igfxtray.exe
2008-01-10 20:41 126,976 ----a-w C:\WINNT\system32\hkcmd.exe
2008-01-10 00:43 --------- d-----w C:\Program Files\Lavasoft
2008-01-10 00:43 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Lavasoft
2008-01-10 00:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-09 21:10 --------- d-----w C:\Program Files\SopCast
2007-11-29 22:30 200,704 ----a-w C:\WINNT\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINNT\system32\libdivx.dll
2005-02-19 16:51 17,776 ----a-w C:\Documents and Settings\Yusuf\Application Data\GDIPFONTCACHEV1.DAT
2005-01-16 19:22 17,776 ----a-w C:\Documents and Settings\Ayesha\Application Data\GDIPFONTCACHEV1.DAT
2004-12-14 20:00 17,776 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.
Files Infected - Win32.Agent.zb
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C6C4BA2-1646-0F3A-1FAE-B393C162C92E}]
2007-12-30 20:48 1019904 --a------ C:\Program Files\ContextEnhancer\ContextEnhancer-1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINNT\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-01-10 20:42 5674352]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-10 20:41 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB5310"="command /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log" [ ]
"SpybotDeletingD5617"="cmd /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log" [ ]
"SpybotDeletingB623"="command /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log" [ ]
"SpybotDeletingD9528"="cmd /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log" [ ]
"SpybotDeletingB5423"="command /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie" [ ]
"SpybotDeletingD5562"="cmd /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [2008-01-10 20:41 155648]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2008-01-10 20:41 126976]
"Athan"="C:\Program Files\Athan\Athan.exe" [2008-01-10 20:17 1003520]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7278"="command /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log" [ ]
"SpybotDeletingC2844"="cmd /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log" [ ]
"SpybotDeletingA2256"="command /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log" [ ]
"SpybotDeletingC9854"="cmd /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log" [ ]
"SpybotDeletingA5514"="command /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie" [ ]
"SpybotDeletingC8937"="cmd /c del C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINNT\System32\CTFMON.EXE" [2004-08-03 23:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Smart Wizard Wireless Settings.lnk - C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2004-02-27 15:41:54 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINNT\system32\DRIVERS\wg121nd5.sys [2003-11-28 10:18]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINNT\system32\NSNDIS5.SYS [2004-03-24 02:12]

*Newly Created Service* - ALERTER
.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 16:45:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-29 00:00:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-29 0:02:46
ComboFix-quarantined-files.txt 2008-02-29 00:02:18
ComboFix2.txt 2008-01-10 21:48:42



Here is my new HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:09:50, on 29/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ContextEnhancer - {4C6C4BA2-1646-0F3A-1FAE-B393C162C92E} - C:\Program Files\ContextEnhancer\ContextEnhancer-1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\RunOnce: [SpybotDeletingA7278] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2844] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2256] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9854] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5514] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8937] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\RunOnce: [SpybotDeletingB5310] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5617] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_11_54 AM_468.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB623] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9528] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Log\2008 Jan 10 - 12_12_51 AM_843.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5423] command /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5562] cmd /c del "C:\Documents and Settings\Uzi.USMAN\Application Data\AdwareAlert\Settings\ScanResults.pie"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7233 bytes



Kind Regards,

uzi9mm
  • 0

#4
andrewuk
Posted 28 February 2008 - 06:41 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\Program Files\Dot1XCfg
C:\Program Files\ContextEnhancer
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C6C4BA2-1646-0F3A-1FAE-B393C162C92E}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dot1XCfg"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB5310"=-
"SpybotDeletingD5617"=-
"SpybotDeletingB623"=-
"SpybotDeletingD9528"=-
"SpybotDeletingB5423"=-
"SpybotDeletingD5562"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7278"=-
"SpybotDeletingC2844"=-
"SpybotDeletingA2256"=-
"SpybotDeletingC9854"=-
"SpybotDeletingA5514"=-
"SpybotDeletingC8937"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk
  • 0

#5
uzi9mm
Posted 29 February 2008 - 03:41 PM

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hi andrewuk,

Thanks for the reply.

Here is my new ComboFix log:

ComboFix 08-02-25.3 - Uzi 2008-02-29 21:31:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.219 [GMT 0:00]
Running from: C:\Documents and Settings\Uzi.USMAN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Uzi.USMAN\My Documents\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ContextEnhancer
C:\Program Files\ContextEnhancer\ContextEnhancer-1.dll
C:\Program Files\ContextEnhancer\pcre3.dll
C:\Program Files\ContextEnhancer\uninstall.exe
C:\Program Files\Dot1XCfg

.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-29 )))))))))))))))))))))))))))))))
.

2008-02-29 00:09 . 2008-02-29 00:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 13:41 . 2008-02-28 13:41 396 --a------ C:\WINNT\wininit.ini
2008-02-28 12:52 . 2008-02-28 13:42 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2008-02-28 12:51 . 2008-02-28 12:45 691,545 --a------ C:\WINNT\unins000.exe
2008-02-28 12:51 . 2008-02-28 12:51 2,544 --a------ C:\WINNT\unins000.dat
2008-02-27 17:52 . 2008-02-29 21:27 <DIR> d-------- C:\Program Files\FBrowsingAdvisor
2008-02-27 17:52 . 2008-02-27 17:53 <DIR> d-------- C:\Program Files\FBrowserAdvisor
2008-02-26 16:10 . 2008-02-26 17:07 <DIR> d-------- C:\Program Files\Transcender
2008-02-24 14:23 . 2008-02-24 14:23 <DIR> d-------- C:\Program Files\DIFX
2008-02-24 14:23 . 2008-02-24 14:28 <DIR> d-------- C:\Documents and Settings\Uzi.USMAN\Application Data\Nokia
2008-02-24 14:23 . 2008-02-24 14:25 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\PC Suite
2008-02-24 14:22 . 2008-02-24 14:22 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-02-24 14:22 . 2008-02-24 14:22 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-02-24 14:22 . 2008-02-24 14:23 <DIR> d-------- C:\Documents and Settings\Uzi.USMAN\Application Data\PC Suite
2008-02-24 14:22 . 2007-02-22 10:15 137,216 --a------ C:\WINNT\system32\drivers\nmwcd.sys
2008-02-24 14:22 . 2007-02-22 10:15 65,536 --a------ C:\WINNT\system32\nmwcdcocls.dll
2008-02-24 14:22 . 2007-02-22 10:15 12,288 --a------ C:\WINNT\system32\drivers\nmwcdcm.sys
2008-02-24 14:22 . 2007-02-22 10:15 8,320 --a------ C:\WINNT\system32\drivers\nmwcdc.sys
2008-02-24 14:21 . 2008-02-24 14:21 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Installations
2008-02-20 21:25 . 2006-04-28 15:24 18,704 -ra------ C:\WINNT\system32\drivers\se27nd5.sys
2008-02-17 13:15 . 2008-02-17 13:15 <DIR> d-------- C:\WINNT\SHELLNEW
2008-02-15 22:48 . 2008-02-15 22:49 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-02-13 22:50 . 2008-02-18 18:54 26,984 --a------ C:\WINNT\system32\GDIPFONTCACHEV1.DAT
2008-02-13 22:49 . 2008-02-13 22:49 <DIR> d-------- C:\Program Files\Transparent
2008-02-13 22:49 . 2008-02-13 22:49 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Transparent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 21:00 --------- d-----w C:\Documents and Settings\Uzi.USMAN\Application Data\LimeWire
2008-02-28 12:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-24 14:22 --------- d-----w C:\Program Files\Nokia
2008-02-24 14:22 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-17 13:16 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft Help
2008-02-13 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 11:09 --------- d-----w C:\Documents and Settings\Uzi.USMAN\Application Data\AdobeUM
2008-01-24 21:54 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Teleca
2008-01-24 21:54 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Sony Ericsson
2008-01-24 21:53 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-01-23 00:18 --------- d-----w C:\Program Files\DivX
2008-01-21 19:14 --------- d-----w C:\Program Files\Java
2008-01-10 21:58 --------- d-----w C:\Documents and Settings\Uzi.USMAN\Application Data\Grisoft
2008-01-10 21:58 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft
2008-01-10 21:41 --------- d-----w C:\Program Files\MSN Messenger
2008-01-10 21:41 --------- d-----w C:\Program Files\Athan
2008-01-10 21:36 --------- d-----w C:\Program Files\QuickTime
2008-01-10 20:41 155,648 ----a-w C:\WINNT\system32\igfxtray.exe
2008-01-10 20:41 126,976 ----a-w C:\WINNT\system32\hkcmd.exe
2008-01-10 00:43 --------- d-----w C:\Program Files\Lavasoft
2008-01-10 00:43 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Lavasoft
2008-01-10 00:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-09 21:10 --------- d-----w C:\Program Files\SopCast
2007-11-29 22:30 200,704 ----a-w C:\WINNT\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINNT\system32\libdivx.dll
2005-02-19 16:51 17,776 ----a-w C:\Documents and Settings\Yusuf\Application Data\GDIPFONTCACHEV1.DAT
2005-01-16 19:22 17,776 ----a-w C:\Documents and Settings\Ayesha\Application Data\GDIPFONTCACHEV1.DAT
2004-12-14 20:00 17,776 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.
Files Infected - Win32.Agent.zb
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINNT\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-01-10 20:42 5674352]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-10 20:41 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [2008-01-10 20:41 155648]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2008-01-10 20:41 126976]
"Athan"="C:\Program Files\Athan\Athan.exe" [2008-01-10 20:17 1003520]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINNT\System32\CTFMON.EXE" [2004-08-03 23:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Smart Wizard Wireless Settings.lnk - C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2004-02-27 15:41:54 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINNT\system32\DRIVERS\wg121nd5.sys [2003-11-28 10:18]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINNT\system32\NSNDIS5.SYS [2004-03-24 02:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 16:45:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-29 21:37:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-29 21:39:32
ComboFix-quarantined-files.txt 2008-02-29 21:39:12
ComboFix2.txt 2008-02-29 00:02:47
ComboFix3.txt 2008-01-10 21:48:42



Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:41:48, on 29/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C6C4BA2-1646-0F3A-1FAE-B393C162C92E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5186 bytes



Kind Regards,

uzi9mm
  • 0

#6
andrewuk
Posted 29 February 2008 - 04:25 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will clear the last of the malware i see on your logs, flush your temp folders and then we will do a couple of scans to see what else is lurking on your machine.

the scans are likely to take over 3 hours, so just let them run.

but firstly we will install an antivirus on your machine. i dont see one - if this is the case follow STEP 1, otherwise go onto STEP 2

====STEP 1====
This program is basic for the security of your computer and in todays age not having one will probably lead to disaster for your computer.

Please go http://www.avast.com.../down_home.html and download avast! 4 Home Edition to your desktop. Locate the file that you just downloaded, double-click on the file to launch the installation of avast!

Click Next on the avast! Setup window and on the next window with the ReadMe File.
Now you will see the Legal Agreement, just click I agree, and then click Next to continue.

You will be prompted with Configuration window, make sure that you choose Typical configuration and then click Next. Click Next to the windows that will follow, when the installation will finish, you will be given an option to schedule a boot time scan, select No

Now you have to restart your machine, select Restart and then click Finish.

After you restart you will get a message about avast! it will give you the general "Hello and Thank you for choosing our Product." Also after you restart you will notice 2 new icons in the bottom right corner of the screen.

VERY IMPORTANT - after restarting, right click on the a in the taskbar and select Updating, then highlight and click Program.

You will get popup after its done updating. If avast! had to download anything for your computer you may get a message asking you to restart.

After you have updated avast! right click the small icon a in task bar and click Start Avast! AntiVirus

Click Program Registration and you will be taken to their website. Fill out the form and then check you e-mail. Once you get an e-mail from them (usually about 1 minute after submitting the form) copy and paste the serial they provided into the highlighted box. Then click ok.

After this, you will need to Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner, and select Schedule Boot-Time Scan. Read also this tutorial http://www.schmahl.n...astbootscan.htm it may make it easier to you to follow the steps.

Next, choose
Scan all local disks
scan archive files
click on Schedule
On the next dialog Operating system restart needed select Yes
Now avast! will restart your computer and start to scan before Windows fully loads.

IMPORTANT NOTE since your system has infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.

On completion of the boot scan there will be a report at this location C:\Program Files\Alwil Software\Avast4\DATA\report\AswBoot.txt Please post that in your next reply.


====STEP 2====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {4C6C4BA2-1646-0F3A-1FAE-B393C162C92E} - (no file)
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\Program Files\Dot1XCfg\Dot1XCfg.exe <== could you let me know if this file was still there to be deleted


====STEP 3====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 4====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


====STEP 5====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


In your next reply could i see:
1. if you installed the antivirus program or if there was one already installed on your machine
2. if that file C:\Program Files\Dot1XCfg\Dot1XCfg.exe was still on your machine when you went to delete it
3. the AVAST log
4. the SUPERantispyware log
5. the kaspersky log
6. a new hijackthis log

there may be a lot of information to post in your next reply, so you may have to post the information over more than one reply to ensure it is all posted

andrewuk
  • 0

#7
andrewuk
Posted 06 March 2008 - 03:24 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
still with us?
  • 0

#8
andrewuk
Posted 09 March 2008 - 03:37 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP