Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan horse Dropper.Agent.HHK

Started by Sheepy1903 , Mar 22 2008 09:56 AM

  • Please log in to reply

#1
Sheepy1903
Posted 22 March 2008 - 09:56 AM

Sheepy1903

    New Member

  • Member
  • Pip
  • 9 posts
Hi,

I am not the brainiest when it comes to computers but for some reason my AVG anti virus is coming up with this.

Can anyone tell me how to get rid of this please

Edited by Sheepy1903, 22 March 2008 - 11:09 AM.

  • 0

Advertisements

#2
Sheepy1903
Posted 22 March 2008 - 10:48 AM

Sheepy1903

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
i downloaded hijackthis & here are the results. Hope this helps

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:46:44, on 22/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\xwvyhiby.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\antiviirus.exe
C:\WINDOWS\system32\neiggrjj.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [neiggrjj] C:\WINDOWS\system32\neiggrjj.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [TrV0315t7l] C:\WINDOWS\xwvyhiby.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205933728406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205936870593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 6337 bytes
  • 0

#3
loophole
Posted 22 March 2008 - 06:06 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :)

Please rescan with Hijackthis and place a check next to the following entries:

O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [neiggrjj] C:\WINDOWS\system32\neiggrjj.exe
O4 - HKLM\..\Policies\Explorer\Run: [TrV0315t7l] C:\WINDOWS\xwvyhiby.exe

Now click "Fix Checked" and close Hijackthis

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#4
Sheepy1903
Posted 23 March 2008 - 09:37 AM

Sheepy1903

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I cant than you enough for helping me to sort out this problem. I hope i had done it correctly as you asked

ComboFix 08-03-22.3 - Administrator 2008-03-23 15:34:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.612 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OAOY8U6L\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Other TimeOuts --
CF18822.exe /c " VFind.exe -ltf -s-1300000 -d+2007-12-23 C:\WINDOWS\* >Windir.dat"
VFind.exe -ltf -s-1300000 -d+2007-12-23 C:\WINDOWS\*
CF18822.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-23 15:20 . 2008-03-23 15:20 16,568 -r-hs---- C:\Program Files\tmp0.exe
2008-03-22 16:46 . 2008-03-22 16:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-22 15:45 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-22 15:45 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-22 15:45 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-22 15:44 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-22 15:44 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-22 15:44 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-22 15:44 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-22 15:44 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-22 02:32 . 2008-03-22 02:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-22 02:32 . 2008-03-22 02:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 02:32 . 2008-03-22 02:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-22 02:29 . 2008-03-22 02:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC-Cleaner
2008-03-22 02:25 . 2008-03-22 02:26 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-22 02:07 . 2008-03-22 02:07 <DIR> d-------- C:\Documents and Settings\Administrator\Desktopvirii
2008-03-22 02:06 . 2008-03-22 02:06 21,692 --a------ C:\Program Files\antiviirus.exe
2008-03-22 00:33 . 2008-03-22 02:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-22 00:32 . 2008-03-22 14:24 <DIR> d-------- C:\Program Files\Java
2008-03-22 00:32 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-22 00:31 . 2008-03-22 00:32 <DIR> d-------- C:\Program Files\LimeWire
2008-03-22 00:31 . 2008-03-22 00:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-20 19:35 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 19:35 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-19 22:44 . 2008-03-19 22:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-19 22:44 . 2008-03-19 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 22:44 . 2008-03-20 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-19 22:44 . 2008-03-23 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-19 21:28 . 2008-03-19 21:28 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-19 18:40 . 2008-03-19 18:40 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-19 18:40 . 2003-03-18 20:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-03-19 18:40 . 2003-03-18 19:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-03-19 18:40 . 2003-02-21 03:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-03-19 18:21 . 2008-03-19 18:21 <DIR> d-------- C:\Program Files\Logitech
2008-03-19 18:21 . 2008-03-19 18:21 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-03-19 18:14 . 2008-03-19 18:14 <DIR> d-------- C:\Program Files\Driver-Soft
2008-03-19 18:14 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-03-19 18:14 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-03-19 18:09 . 2008-03-22 22:14 <DIR> d-------- C:\Program Files\Full Tilt Poker
2008-03-19 18:02 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-19 18:02 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-19 18:02 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-19 18:02 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-19 17:58 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-19 17:58 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-19 17:58 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-19 17:58 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-19 17:03 . 2008-03-19 17:03 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-19 16:39 . 2008-03-19 16:39 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-19 16:17 . 2008-03-19 16:17 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-19 16:15 . 2007-12-07 02:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-19 16:15 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-19 16:15 . 2007-07-01 03:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-19 16:15 . 2007-12-07 02:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-19 16:15 . 2007-12-07 02:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-19 16:15 . 2007-12-07 02:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-19 16:15 . 2007-12-07 02:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-19 16:15 . 2007-12-07 02:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-19 16:15 . 2007-12-06 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-19 16:01 . 2008-03-19 16:01 <DIR> d-------- C:\Program Files\MSBuild
2008-03-19 15:58 . 2008-03-19 16:46 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-19 15:57 . 2008-03-19 15:57 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-19 15:56 . 2008-03-19 15:56 <DIR> d-------- C:\d284db27e9131b6ecd52e6
2008-03-19 15:56 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-19 15:50 . 2008-03-19 15:50 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-19 15:49 . 2008-03-19 15:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-19 15:48 . 2008-03-19 15:48 <DIR> d-------- C:\Program Files\Sigmatel
2008-03-19 15:36 . 2008-03-19 15:36 <DIR> d-------- C:\Program Files\CONEXANT
2008-03-19 15:34 . 2008-03-19 15:35 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-03-19 14:44 . 2006-11-13 06:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-03-19 14:44 . 2006-11-13 06:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-03-19 14:44 . 2006-11-13 06:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-03-19 13:38 . 2008-03-19 16:29 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-19 13:38 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-19 13:34 . 2008-03-19 13:34 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-19 13:34 . 2008-03-19 18:21 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-19 13:34 . 2008-03-19 17:02 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-19 13:34 . 2008-03-19 13:34 <DIR> d-------- C:\Program Files\Broadcom
2008-03-19 13:34 . 2008-03-19 13:34 <DIR> d--hs---- C:\Documents and Settings\Administrator\UserData
2008-03-19 13:33 . 2008-03-19 13:33 <DIR> d-------- C:\dell
2008-03-19 12:26 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 15:54 --------- d-----w C:\Program Files\Microsoft Works
2008-03-18 10:51 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-18 10:51 --------- d-----w C:\Program Files\Common Files\L&H
2008-03-18 10:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-18 10:38 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-18 10:28 --------- d-----w C:\Program Files\Synaptics
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-08-30 21:39 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-30 21:39 536576]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-20 19:35 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-19 22:44 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-03 22:56]

*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_ANTIVIRUS
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 15:36:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-23 15:36:42
ComboFix-quarantined-files.txt 2008-03-23 15:36:26
.
2008-03-20 19:48:26 --- E O F ---



ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:38:44, on 23/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205933728406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205936870593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 6187 bytes
  • 0

#5
Sheepy1903
Posted 23 March 2008 - 10:24 AM

Sheepy1903

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I have just done a scan & my AVG has still found the Trojan horse Dropper.Agent.HHK virus but it also has found a new one called Trpjan horse SHeur.BAHW sorry to be a pest
  • 0

#6
loophole
Posted 23 March 2008 - 05:36 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Your not a pest :) its easter here so had family things to do.

Let me know what Avg is finding, in particular the path to the file, for instance C:\windows\badfile etc.

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe This suggest you have 2 Antivirus programs running at the same time which is not good. Please uninstall one of them ( Avast is better in my opinion)
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe


We have a couple bad files to delete but they aren't active anymore, lets do this step below.




Next

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System. XP SP2



Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#7
Sheepy1903
Posted 24 March 2008 - 12:20 PM

Sheepy1903

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Once again thanks for your help but after the 1st scan i got the 2 messages of viruses but after i hit heal they seem to have gone hopefully

Attached is log as you asked & i havent rebooted

ComboFix 08-03-22.3 - Administrator 2008-03-24 18:16:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.

2008-03-22 16:46 . 2008-03-22 16:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-22 15:45 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-22 15:45 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-22 15:45 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-22 15:44 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-22 15:44 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-22 15:44 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-22 15:44 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-22 15:44 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-22 02:32 . 2008-03-22 02:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-22 02:32 . 2008-03-22 02:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 02:32 . 2008-03-22 02:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-22 02:29 . 2008-03-22 02:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC-Cleaner
2008-03-22 02:25 . 2008-03-22 02:26 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-22 02:07 . 2008-03-22 02:07 <DIR> d-------- C:\Documents and Settings\Administrator\Desktopvirii
2008-03-22 02:06 . 2008-03-22 02:06 21,692 --a------ C:\Program Files\antiviirus.exe
2008-03-22 00:33 . 2008-03-22 02:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-22 00:32 . 2008-03-22 14:24 <DIR> d-------- C:\Program Files\Java
2008-03-22 00:32 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-22 00:31 . 2008-03-22 00:32 <DIR> d-------- C:\Program Files\LimeWire
2008-03-22 00:31 . 2008-03-22 00:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-20 19:35 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 19:35 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-19 22:44 . 2008-03-19 22:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-19 22:44 . 2008-03-19 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 22:44 . 2008-03-20 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-19 22:44 . 2008-03-24 18:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-19 21:28 . 2008-03-19 21:28 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-19 18:40 . 2008-03-19 18:40 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-19 18:40 . 2003-03-18 20:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-03-19 18:40 . 2003-03-18 19:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-03-19 18:40 . 2003-02-21 03:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-03-19 18:21 . 2008-03-19 18:21 <DIR> d-------- C:\Program Files\Logitech
2008-03-19 18:21 . 2008-03-19 18:21 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-03-19 18:14 . 2008-03-19 18:14 <DIR> d-------- C:\Program Files\Driver-Soft
2008-03-19 18:14 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-03-19 18:14 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-03-19 18:09 . 2008-03-23 22:38 <DIR> d-------- C:\Program Files\Full Tilt Poker
2008-03-19 18:02 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-19 18:02 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-19 18:02 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-19 18:02 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-19 17:58 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-19 17:58 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-19 17:58 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-19 17:58 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-19 17:03 . 2008-03-19 17:03 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-19 16:39 . 2008-03-19 16:39 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-19 16:17 . 2008-03-19 16:17 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-19 16:15 . 2007-12-07 02:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-19 16:15 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-19 16:15 . 2007-07-01 03:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-19 16:15 . 2007-12-07 02:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-19 16:15 . 2007-12-07 02:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-19 16:15 . 2007-12-07 02:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-19 16:15 . 2007-12-07 02:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-19 16:15 . 2007-12-07 02:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-19 16:15 . 2007-12-06 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-19 16:01 . 2008-03-19 16:01 <DIR> d-------- C:\Program Files\MSBuild
2008-03-19 15:58 . 2008-03-19 16:46 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-19 15:57 . 2008-03-19 15:57 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-19 15:56 . 2008-03-19 15:56 <DIR> d-------- C:\d284db27e9131b6ecd52e6
2008-03-19 15:56 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-19 15:50 . 2008-03-19 15:50 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-19 15:49 . 2008-03-19 15:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-19 15:48 . 2008-03-19 15:48 <DIR> d-------- C:\Program Files\Sigmatel
2008-03-19 15:36 . 2008-03-19 15:36 <DIR> d-------- C:\Program Files\CONEXANT
2008-03-19 15:34 . 2008-03-19 15:35 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-03-19 14:44 . 2006-11-13 06:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-03-19 14:44 . 2006-11-13 06:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-03-19 14:44 . 2006-11-13 06:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-03-19 13:38 . 2008-03-19 16:29 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-19 13:38 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-19 13:34 . 2008-03-19 13:34 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-19 13:34 . 2008-03-19 18:21 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-19 13:34 . 2008-03-19 17:02 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-19 13:34 . 2008-03-19 13:34 <DIR> d-------- C:\Program Files\Broadcom
2008-03-19 13:34 . 2008-03-19 13:34 <DIR> d--hs---- C:\Documents and Settings\Administrator\UserData
2008-03-19 13:33 . 2008-03-19 13:33 <DIR> d-------- C:\dell
2008-03-19 12:26 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 15:54 --------- d-----w C:\Program Files\Microsoft Works
2008-03-18 10:51 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-18 10:51 --------- d-----w C:\Program Files\Common Files\L&H
2008-03-18 10:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-18 10:38 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-18 10:28 --------- d-----w C:\Program Files\Synaptics
.

((((((((((((((((((((((((((((( snapshot@2008-03-23_15.36.21.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-24 18:03:05 16,384 ----atw C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_798.dat
- 2008-03-23 15:20:29 219,356 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-03-24 18:03:23 219,369 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-08-30 21:39 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-30 21:39 536576]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-20 19:35 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-19 22:44 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-03 22:56]

*Newly Created Service* - APPMGMT
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 18:17:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-24 18:17:38
ComboFix-quarantined-files.txt 2008-03-24 18:17:29
ComboFix2.txt 2008-03-23 15:36:43
.
2008-03-20 19:48:26 --- E O F ---
  • 0

#8
Sheepy1903
Posted 24 March 2008 - 12:43 PM

Sheepy1903

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
doing an AVG scan just now i seem to have a Trojan horse Downloader.Zlob.VKB & the path is C:\WINDOWS\system32\neiggrjj.exe
  • 0

#9
Sheepy1903
Posted 27 March 2008 - 11:10 AM

Sheepy1903

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
sorry to be a pest & i know you are very busy doing a wonderful job here but i have kept my lap top on running for 2 days non stop as requested and wondering my next step to clear the viruses

thanks

scott
  • 0

#10
loophole
Posted 27 March 2008 - 11:37 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Sorry, I had to leave town rather suddenly for work and just got back this morning

Lets get this cleaned up. Run combofix one more time and post the log, I will be on line all day so I won't be delayed in getting to you :)
  • 0

#11
Sheepy1903
Posted 27 March 2008 - 12:00 PM

Sheepy1903

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for your time & i hope you dont think i am being impatient as i really appreciate your help & expertise in this

Here is the log

ComboFix 08-03-22.3 - Administrator 2008-03-27 17:56:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.647 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-24 19:19 . 2008-03-24 19:19 <DIR> d-------- C:\WINDOWS\Sun
2008-03-22 16:46 . 2008-03-22 16:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-22 02:32 . 2008-03-22 02:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-22 02:32 . 2008-03-22 02:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 02:32 . 2008-03-22 02:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-22 02:29 . 2008-03-22 02:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC-Cleaner
2008-03-22 02:25 . 2008-03-22 02:26 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-22 02:07 . 2008-03-22 02:07 <DIR> d-------- C:\Documents and Settings\Administrator\Desktopvirii
2008-03-22 00:33 . 2008-03-22 02:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-22 00:32 . 2008-03-24 19:50 <DIR> d-------- C:\Program Files\Java
2008-03-22 00:32 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-22 00:31 . 2008-03-22 00:32 <DIR> d-------- C:\Program Files\LimeWire
2008-03-22 00:31 . 2008-03-22 00:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-20 19:35 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 19:35 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-19 22:44 . 2008-03-19 22:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-19 22:44 . 2008-03-19 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 22:44 . 2008-03-20 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-19 22:44 . 2008-03-27 17:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-19 21:28 . 2008-03-19 21:28 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-19 18:40 . 2008-03-19 18:40 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-19 18:40 . 2003-03-18 20:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-03-19 18:40 . 2003-03-18 19:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-03-19 18:40 . 2003-02-21 03:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-03-19 18:21 . 2008-03-19 18:21 <DIR> d-------- C:\Program Files\Logitech
2008-03-19 18:21 . 2008-03-19 18:21 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-03-19 18:14 . 2008-03-19 18:14 <DIR> d-------- C:\Program Files\Driver-Soft
2008-03-19 18:14 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-03-19 18:14 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-03-19 18:09 . 2008-03-24 23:07 <DIR> d-------- C:\Program Files\Full Tilt Poker
2008-03-19 18:02 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-19 18:02 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-19 18:02 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-19 18:02 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-19 17:58 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-19 17:58 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-19 17:58 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-19 17:58 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-19 17:03 . 2008-03-19 17:03 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-19 16:39 . 2008-03-19 16:39 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-19 16:17 . 2008-03-19 16:17 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-19 16:15 . 2007-12-07 02:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-19 16:15 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-19 16:15 . 2007-07-01 03:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-19 16:15 . 2007-12-07 02:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-19 16:15 . 2007-12-07 02:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-19 16:15 . 2007-12-07 02:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-19 16:15 . 2007-12-07 02:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-19 16:15 . 2007-12-07 02:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-19 16:15 . 2007-12-06 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-19 16:01 . 2008-03-19 16:01 <DIR> d-------- C:\Program Files\MSBuild
2008-03-19 15:58 . 2008-03-19 16:46 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-19 15:57 . 2008-03-19 15:57 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-19 15:56 . 2008-03-19 15:56 <DIR> d-------- C:\d284db27e9131b6ecd52e6
2008-03-19 15:56 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-19 15:50 . 2008-03-19 15:50 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-19 15:49 . 2008-03-19 15:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-19 15:48 . 2008-03-19 15:48 <DIR> d-------- C:\Program Files\Sigmatel
2008-03-19 15:36 . 2008-03-19 15:36 <DIR> d-------- C:\Program Files\CONEXANT
2008-03-19 15:34 . 2008-03-19 15:35 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-03-19 14:44 . 2006-11-13 06:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-03-19 14:44 . 2006-11-13 06:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-03-19 14:44 . 2006-11-13 06:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-03-19 13:38 . 2008-03-19 16:29 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-19 13:38 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-19 13:34 . 2008-03-19 13:34 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-19 13:34 . 2008-03-19 18:21 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-19 13:34 . 2008-03-19 17:02 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-19 13:34 . 2008-03-19 13:34 <DIR> d-------- C:\Program Files\Broadcom
2008-03-19 13:34 . 2008-03-19 13:34 <DIR> d--hs---- C:\Documents and Settings\Administrator\UserData
2008-03-19 13:33 . 2008-03-19 13:33 <DIR> d-------- C:\dell
2008-03-19 12:26 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 15:54 --------- d-----w C:\Program Files\Microsoft Works
2008-03-18 10:51 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-18 10:51 --------- d-----w C:\Program Files\Common Files\L&H
2008-03-18 10:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-18 10:38 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-18 10:28 --------- d-----w C:\Program Files\Synaptics
.

((((((((((((((((((((((((((((( snapshot@2008-03-23_15.36.21.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-23 15:20:29 219,356 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-03-27 17:05:59 219,356 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-08-30 21:39 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-30 21:39 536576]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-20 19:35 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-19 22:44 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-03 22:56]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 17:58:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-27 17:58:43
ComboFix-quarantined-files.txt 2008-03-27 17:58:34
ComboFix2.txt 2008-03-24 18:17:38
ComboFix3.txt 2008-03-23 15:36:43
.
2008-03-20 19:48:26 --- E O F ---
  • 0

#12
loophole
Posted 27 March 2008 - 12:12 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Nothing really in the Combo log

This leads me to believe that C:\WINDOWS\system32\neiggrjj.exe is just a leftover file thats not doing anything,but lets run a fix and see what we get

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, fouble-click smitfraudfix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
  • 0

#13
Sheepy1903
Posted 28 March 2008 - 10:03 AM

Sheepy1903

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
SmitFraudFix v2.309

Scan done at 15:49:47.32, 28/03/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{778BD423-D592-49D4-8AA6-F32D8364DC1E}: DhcpNameServer=192.168.150.1 194.105.166.1 194.105.167.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F54CA4EE-0CAC-4F5D-9F36-978B3947AD6D}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{778BD423-D592-49D4-8AA6-F32D8364DC1E}: DhcpNameServer=192.168.150.1 194.105.166.1 194.105.167.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F54CA4EE-0CAC-4F5D-9F36-978B3947AD6D}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{778BD423-D592-49D4-8AA6-F32D8364DC1E}: DhcpNameServer=192.168.150.1 194.105.166.1 194.105.167.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F54CA4EE-0CAC-4F5D-9F36-978B3947AD6D}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP