Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WLCtrl32.dll removal


  • Please log in to reply

#31
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,566 posts
Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

File::
C:\WINDOWS\system32\drivers\nkv2.sys

Driver::
nkv2


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before, as well as a fresh HJT log.
  • 0

Advertisements


#32
philx

philx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here are the logs:


ComboFix 08-03-24.1 - Peter 2008-03-28 16:04:44.3 - NTFSx86
Running from: D:\Docs\Desktop\ComboFix.exe
Command switches used :: D:\Docs\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\nkv2.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\nkv2.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USB2_04
-------\USB2_04


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-27 14:35 . 2008-03-27 14:35 146,338 --a------ C:\catchme.zip
2008-03-24 15:20 . 2004-08-03 17:07 24,576 --a------ C:\WINDOWS\system32\CF_init.exe
2008-03-23 17:46 . 2008-03-25 13:01 250 --a------ C:\WINDOWS\gmer.ini
2008-03-19 14:49 . 2008-03-19 14:49 <DIR> d-------- C:\Documents and Settings\Peter\Application Data\Uniblue
2008-03-19 14:48 . 2008-03-19 14:48 <DIR> d-------- C:\Program Files\Uniblue
2008-03-18 01:19 . 2008-03-18 01:37 <DIR> d-------- C:\Program Files\Unlocker
2008-03-18 01:19 . 2008-03-18 01:19 <DIR> d-------- C:\Documents and Settings\Peter\Application Data\Desktopicon
2008-03-07 23:44 . 2008-03-07 23:44 <DIR> d-------- C:\Program Files\BillP Studios
2008-03-07 23:44 . 2008-03-07 23:44 <DIR> d-------- C:\Documents and Settings\Peter\Application Data\WinPatrol
2008-03-07 23:41 . 2008-03-07 23:39 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-07 23:41 . 2008-03-07 23:41 2,550 --a------ C:\WINDOWS\unins000.dat
2008-03-05 09:11 . 2008-03-05 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-04 12:43 . 2008-03-04 12:43 <DIR> d-------- C:\Program Files\Sun
2008-03-04 12:42 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 12:34 . 2008-03-04 12:42 <DIR> d-------- C:\Program Files\Java
2008-03-04 12:34 . 2008-03-04 12:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-04 10:47 . 2008-03-04 10:47 <DIR> d-------- C:\Program Files\SDM20
2008-03-03 20:47 . 2008-03-03 20:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-03 20:31 . 2008-03-04 07:57 <DIR> d-------- C:\Program Files\CCleaner
2008-03-03 20:24 . 2008-03-03 22:35 <DIR> d-------- C:\SDFix
2008-03-03 19:22 . 2008-03-03 19:22 19,968 --a------ C:\Export.doc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 00:11 51,802,144 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-29 00:09 610,172 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-25 01:27 519,680 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-03-24 04:01 1,973,248 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-03-20 23:01 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-03-20 17:03 12,998,198 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-03-20 07:00 4,235,776 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-03-20 06:13 --------- d-----w C:\Program Files\Trend Micro
2008-03-20 04:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-20 03:50 --------- d-----w C:\Program Files\Google
2008-03-18 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-17 19:36 --------- d-----w C:\Program Files\EsetOnlineScanner
2008-03-08 08:08 100,918 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_05_16_46_42_small.dmp.zip
2008-03-05 23:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-26 04:08 --------- d-----w C:\Documents and Settings\Peter\Application Data\Malwarebytes
2008-02-26 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 22:30 --------- d-----w C:\Program Files\Panda Security
2008-02-22 20:42 10,752 ----a-w C:\WINDOWS\system32\drivers\pxark.sys
2008-02-22 20:42 --------- d-----w C:\Documents and Settings\Peter\Application Data\PrevxCSI
2008-02-11 17:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 17:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 21:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 16:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-30 23:39 --------- d-----w C:\Program Files\Taxman
2008-01-30 23:39 --------- d-----w C:\Program Files\Common Files\Taxman
2007-08-15 14:05 2,866,688 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2007-04-25 06:24 2,705,920 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2007-04-25 06:24 1,452,032 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2007-01-01 21:04 110,080 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2007-01-01 21:04 1,286,656 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2006-12-26 21:10 73,728 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2006-12-26 21:10 1,274,880 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2006-12-21 21:55 18,432 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2006-12-21 21:55 1,268,736 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2006-12-21 09:34 132,096 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2006-12-21 09:34 1,291,776 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2006-12-18 20:52 58,880 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2006-12-18 20:52 1,268,736 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2006-12-15 10:46 139,776 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2006-12-15 10:46 1,266,176 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2006-12-11 21:53 2,961,408 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2006-12-11 21:53 1,264,128 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2006-11-13 00:53 615,936 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2006-11-13 00:53 552,448 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2006-11-10 19:31 17,536 ----a-w C:\Documents and Settings\Peter\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 15:25 94208]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:06 1667584]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 23:15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 20:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 20:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 20:43 86016]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-17 20:39 1831936]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 23:15 68856]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 16:11:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
.
**************************************************************************
.
Completion time: 2008-03-28 16:15:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-29 00:15:32
ComboFix2.txt 2008-03-27 22:42:33
ComboFix3.txt 2008-03-24 23:26:45



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:59 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} (F-Secure Health Check 1.0) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup162.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8034 bytes
  • 0

#33
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,566 posts
un the following online scan: Panda ActiveScan.
  • Please note that IE is required to run this scan.
  • You will need to fill in the "Country, region, email address" information before you can download and install the ActiveX components necessary to run the scan.
  • Decide whether you want to click the radio button underneath this part that says -
    "I do not want to receive marketing information from Panda Software and/or its International Representatives where applicable." - it's your choice!
  • When you are asked to "Select a device to scan...", click on "My Computer".
When the scan has finished, click See Report > Save Report which by default will save the scan results as Activescan.txt in My Documents.

Copy and paste the result of the above scan into your next reply along with a fresh HJT log AND a description of how your PC is running.
  • 0

#34
philx

philx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here are the logs; Panda did not find anything on the scan; computer is running well, certainly better than before we stared:

Incident Status Location

Virus:W32/Netsky.Z.worm Disinfected Personal Folders\Deleted Items\*TELUS Detected Spam* Document\Informations.zip[Informations.txt .exe]
Virus:W32/Bagle.pwdzip Disinfected Personal Folders\Deleted Items\*TELUS Detected Spam* Re: Hi\TextDocument.zip
Virus:W32/Netsky.Z.worm Disinfected Personal Folders\Deleted Items\*TELUS Detected Spam* Hello\Informations.zip[Informations.txt .exe]
Virus:Trj/Mitglieder.DQ Disinfected Personal Folders\Inbox\The picture is sent on SMS\Legs.zip[foto_bs363.exe]
Virus:W32/Bagle.EA.worm Disinfected Personal Folders\Inbox\The_taxation.zip[Taxes.exe]
Virus:W32/Netsky.AE.worm Disinfected Personal Folders\Deleted Items\Deleted Items\*TELUS Detected Spam* Re: Hi\summary2004.zip[data.rtf .scr]
Virus:W32/Netsky.AE.worm Disinfected Personal Folders\Deleted Items\Deleted Items\*TELUS Detected Spam* Mail Delivery (failure [email protected])\message.scr
Virus:W32/Netsky.AE.worm Disinfected Personal Folders\Deleted Items\Deleted Items\*TELUS Detected Spam* Re: Bad Request\readme_pstobie.txt .pif
Virus:W32/Netsky.AE.worm Disinfected Personal Folders\Deleted Items\Deleted Items\*TELUS Detected Spam* Hello\software_pstobie.zip[document.txt .exe]
Virus:W32/Netsky.AE.worm Disinfected Personal Folders\Deleted Items\Deleted Items\*TELUS Detected Spam* Mail Delivery (failure [email protected])\message.scr
Virus:W32/Netsky.AE.worm Disinfected Personal Folders\Deleted Items\Deleted Items\*TELUS Detected Spam* Re: Protected Mail Request\document.zip[data.rtf .scr]
Virus:W32/Netsky.AE.worm Disinfected Personal Folders\Deleted Items\Deleted Items\*TELUS Detected Spam* Re: Is that your document?\document.txt.pif
Virus:W32/Netsky.AE.worm Disinfected Personal Folders\Deleted Items\Deleted Items\*TELUS Detected Spam* Mail Delivery (failure [email protected])\message.scr
Virus:W32/Netsky.AE.worm Disinfected Personal Folders\Deleted Items\Deleted Items\*TELUS Detected Spam* Re: Submit a Virus Sample\signature.pif




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:15 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} (F-Secure Health Check 1.0) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup162.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7977 bytes

Edited by philx, 29 March 2008 - 05:16 PM.

  • 0

#35
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,566 posts

Panda did not find anything on the scan

The Panda log says different.

computer is running well

Does that mean the icon has gone, or not?
  • 0

#36
philx

philx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Not sure what you mean by Icon; my main symptom was bn*.* asking for access to trusted zone through zone alarm at start up - that has disappeared. The Panda scan displayed a message when it finished running saying that if had not found anything and there were all zeros in the category list on that screen. I have used Panda before; dont know if it accumulates findings in the log file.
  • 0

#37
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,566 posts

Not sure what you mean by Icon

Wrong log - it's a problem on another thread i'm working on and i'm starting to lose track! :)

As to the Panda detections, according to the log there's a few slimey bits and pieces in Disinfected Personal Folders\Deleted Items\*TELUS Detected Spam*, or there were and Panda has removed them.

As long as the malware issue has gone, i'd say that you were done. I don't see anything in the logs that needs attention.
I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: combofix /u
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point - this will give a clean one should you need it in the future.
A tutorial for System Restore is available here.

The reason for waiting is that if removing the malware has caused a problem, which it occasionally does, you can put your PC back to how it was before the fix. This will re-install the malware, but an infected PC is better than an expensive paperweight!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.
  • 0

#38
philx

philx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Great news: I really appreciate all your help; given the complexity (at least to me) of some of these issues I am not sure how you guys go such a great, consistent, high quality job.

I assume I don't need to respond further unless anything goes wrong but I am happy to report back all is well after a few days if you prefer. Thanks for the reference.

Best wishes
Peter
  • 0

#39
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,566 posts
Feel free to post in a couple of days, but I don't expect any issues - hopefully! :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP