Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

don't know about the infection [CLOSED]


  • This topic is locked This topic is locked

#1
dantool

dantool

    Member

  • Member
  • PipPip
  • 12 posts
my computer has been hijacked.these are the problems i'm facing
command prompt disabled
system restore disabled
task manager disabled
whenever i login i get the following message:
BEST WISHES M.A.A.A

here's my hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:48 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Web\Sys.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\cmd.exe
E:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ZTE CDMA1X CARD\PcmciaApp.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - E:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CDMA1X CARD] C:\Program Files\ZTE CDMA1X CARD\Startup.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NoooH] C:\WINDOWS\Web\Sys.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Free Download Manager] "E:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://E:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://E:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{375D8B12-A8D6-4395-9D7A-A1F434A52594}: NameServer = 202.138.97.193 202.138.96.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Documents and Settings\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - E:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - E:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6103 bytes
  • 0

Advertisements


#2
dantool

dantool

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
uninstall list

Ad-Aware 2007
Adobe Flash Player ActiveX
AusLogics Disk Defrag
AusLogics Registry Defrag
avast! Antivirus
Avira AntiVir PersonalEdition Classic
CCleaner (remove only)
Foxit Reader
Free Download Manager 2.5
GOM Player
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB935448)
Intel® Graphics Media Accelerator Driver
Jarte 3.2
Java 2 Runtime Environment, SE v1.4.1_06
Java 2 Runtime Environment, SE v1.4.2_16
Java™ 6 Update 3
Java™ 6 Update 4
LimeWire PRO 4.16.4
Microsoft Office XP Professional with FrontPage
Opera 9.25
Opera 9.26
PeaZip 1.11
Power Indiabulls
Realtek High Definition Audio Driver
REALTEK RTL8187B Wireless LAN Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SUPERAntiSpyware Free Edition
TOSHIBA Software Modem
TradeAnywhere
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Window Washer
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Yahoo! Messenger
ZoneAlarm
ZoneAlarm Spy Blocker
ZTE CDMA1X CARD

Edited by dantool, 30 March 2008 - 12:39 PM.

  • 0

#3
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey dantool,
Good job on possting in the waiting room :)

Lets start with two tools:
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the requested logs :)

Harry
  • 0

#4
dantool

dantool

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
hi harrythook
thanx for your help
i've been able to remove the prompt "Best Wishes M.A.A.A" on login.
rest of the problems remain.

malwarebytes log::

Malwarebytes' Anti-Malware 1.10
Database version: 582

Scan type: Quick Scan
Objects scanned: 29539
Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



combofix log::

ComboFix 08-04-01.2 - Toshiba 2008-04-02 10:58:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.461 [GMT 5.5:30]
Running from: C:\Documents and Settings\Toshiba\Application Data\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\CMMGR32.EXE
D:\Autorun.inf
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-02 10:50 . 2008-04-02 10:50 <DIR> d-------- C:\Documents and Settings\Toshiba\Application Data\Malwarebytes
2008-04-02 10:50 . 2008-04-02 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-29 11:54 . 2008-03-31 12:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-29 11:54 . 2008-03-31 11:48 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-29 11:54 . 2008-03-31 11:48 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-29 11:54 . 2008-03-31 11:48 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-28 12:48 . 2008-03-31 11:52 <DIR> d-------- C:\Documents and Settings\Toshiba\Application Data\UpdateStar
2008-03-27 13:24 . 2008-03-27 13:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-27 12:35 . 2008-03-31 12:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-27 12:35 . 2008-03-27 12:35 <DIR> d-------- C:\Documents and Settings\Toshiba\Application Data\SUPERAntiSpyware.com
2008-03-27 12:35 . 2008-03-27 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-27 11:35 . 2004-03-09 00:00 152,848 --a------ C:\WINDOWS\system32\comdlg32.OCX
2008-03-27 11:35 . 2004-03-09 00:00 124,688 --a------ C:\WINDOWS\system32\mswinsck.ocx
2008-03-17 12:00 . 2008-03-17 12:00 <DIR> d-------- C:\WINDOWS\Sun
2008-03-14 19:25 . 2008-03-14 19:25 19,552 --a------ C:\Documents and Settings\Toshiba\Application Data\GDIPFONTCACHEV1.DAT
2008-03-14 17:42 . 2008-03-29 10:08 115 --a------ C:\WINDOWS\system32\KillAll.bat
2008-03-08 10:15 . 2008-03-08 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-03-08 10:14 . 2008-03-08 10:14 <DIR> d-------- C:\Documents and Settings\Toshiba\Application Data\GRETECH
2008-03-05 17:05 . 2008-03-05 17:05 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-05 17:04 . 2008-03-05 17:04 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-05 17:02 . 2008-03-05 17:03 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-05 17:02 . 2008-03-05 17:02 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-03-05 12:09 . 2008-03-12 10:35 <DIR> d-------- C:\Downloads
2008-03-04 13:21 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-03 12:28 . 2008-03-03 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 05:30 8,265,760 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-02 05:30 --------- d-----w C:\Documents and Settings\Toshiba\Application Data\Free Download Manager
2008-04-01 15:30 100,472 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-31 07:01 --------- d-----w C:\Program Files\ZTE CDMA1X CARD
2008-03-31 07:00 --------- d-----w C:\Program Files\Opera
2008-03-29 07:42 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2008-03-27 07:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-13 06:38 --------- d-----w C:\Documents and Settings\Toshiba\Application Data\LimeWire
2008-03-04 08:07 --------- d-----w C:\Program Files\Java
2008-03-03 07:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 07:51 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-01 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-02-17 06:47 197,120 ----a-w C:\WINDOWS\system32\3-D_Disco_Baby_Demo.scr
2008-02-17 06:35 --------- d-----w C:\Program Files\3D Canyon Flight Screensaver
2008-02-13 13:17 --------- d-----w C:\Program Files\Common Files\Java
2008-02-13 06:23 --------- d-----w C:\Documents and Settings\Toshiba\Application Data\Auslogics
2008-02-12 13:22 --------- d-----w C:\Program Files\PeaZip
2008-02-12 12:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-12 06:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-12 06:01 --------- d-----w C:\Program Files\Yahoo!
2008-02-08 15:10 --------- d-----w C:\Program Files\Webroot
2008-02-08 15:10 --------- d-----w C:\Documents and Settings\Toshiba\Application Data\Webroot
2008-02-08 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-07 14:57 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-02-07 14:56 --------- d-----w C:\Program Files\Zone Labs
2008-02-07 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-07 13:32 --------- d-----w C:\Program Files\Alwil Software
2008-02-06 12:06 155,995 ----a-w C:\WINDOWS\java\Packages\NVL37V3T.ZIP
2008-02-05 08:25 --------- d-----w C:\Program Files\REALTEK RTL8187B Wireless LAN Driver
2008-02-05 08:25 --------- d-----w C:\Documents and Settings\Toshiba\Application Data\InstallShield
2008-02-05 08:23 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-02-05 08:23 --------- d-----w C:\Program Files\Realtek
2008-02-05 08:19 --------- d-----w C:\Program Files\ltmoh
2008-02-05 08:18 --------- d-----w C:\Program Files\Intel
2008-02-05 08:01 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-07 20:27 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-02-07 20:27 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-07 20:27 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-11-26 14:47 1206600]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"Free Download Manager"="E:\Program Files\Free Download Manager\fdm.exe" [2008-02-25 21:17 2465839]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"UpdateStar"="C:\Documents and Settings\Toshiba\Application Data\UpdateStar\UpdateStar.exe" [2008-03-25 15:45 4108976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-24 12:09 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-24 12:09 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-24 12:09 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 15:40 16384512 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-11-06 15:40 1826816 C:\WINDOWS\SkyTel.exe]
"CDMA1X CARD"="C:\Program Files\ZTE CDMA1X CARD\Startup.exe" [2005-05-30 08:56 122880]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 18:30 79224]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"avgnt"="E:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\ODIN\\DIET\\DietOdin.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"E:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 oxser;OX16C95x Serial port driver;C:\WINDOWS\system32\DRIVERS\oxser.sys [2005-02-20 17:37]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2008-01-24 12:09]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 11:00:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-02 11:00:48
ComboFix-quarantined-files.txt 2008-04-02 05:30:45
Pre-Run: 28,515,680,256 bytes free
Post-Run: 28,495,085,568 bytes free
.
2008-03-12 09:21:37 --- E O F ---


hijack this log::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:40 AM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
E:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Toshiba\Application Data\UpdateStar\UpdateStar.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ZTE CDMA1X CARD\PcmciaApp.exe
C:\Program Files\Opera\Opera.exe
C:\TradeAnywhere\TradeAnywhere.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - E:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [CDMA1X CARD] C:\Program Files\ZTE CDMA1X CARD\Startup.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Free Download Manager] "E:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UpdateStar] C:\Documents and Settings\Toshiba\Application Data\UpdateStar\UpdateStar.exe -A
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://E:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://E:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{375D8B12-A8D6-4395-9D7A-A1F434A52594}: NameServer = 202.138.97.193 202.138.96.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Documents and Settings\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - E:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - E:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6659 bytes
  • 0

#5
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hi dantool,
please read the instructions given, and follow them exactly.
You have Combofix installed in the wrong location, and if we encountered a problem there it could be very serious. From now on, please take your time and make sure everything is done as stated.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Harry
  • 0

#6
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP