Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Laggy Pc Avast keeps finding trojan [RESOLVED]


  • This topic is locked This topic is locked

#1
nt6142

nt6142

    Member

  • Member
  • PipPip
  • 16 posts
Hi all, i recently to told my roommate about stardocks windowblinds and bootskin software ...he liked the idea of changing the startup xp screen and since stardock bootskin is free he thought he would try it...only hes dopey and grabbed some other Trojan,phishing,malware infested crud and blamed all that occurred on me....then he told me he uninstall ed mcafee a while ago cause it "slowed his system down"
well i ran
the list of programs listed in the read this before posting a hijack this log
AND combo fix
then i installed zone alarm and avast and ran spybot
avast didnt auto start the last time i booted his pc so i reinstalled it and it found a trojan that i cant remember the name of...
his pc is also running a bit sluggish so i ran hijackthis again here is his log work you majyk guys. (sorry my message is rambling....i had my ulnar nerve moved recently and i am typing through a haze of painkillers)

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:42 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David Albin\Desktop\HiJackThis.exe

O2 - BHO: (no name) - {6E781301-9C7E-4E8D-807D-7E301CE6A7D7} - C:\WINDOWS\system32\xxyyxuRJ.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescamp...GamesCampus.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...8/pool/pool.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v46/wof/wof.cab
O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://origin.www.sh...HLGLauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15021/CTPID.cab
O18 - Protocol: bw+0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O21 - SSODL: DrvVolume - {6ba87ec0-8566-41a7-90d3-7fe0b7aadcde} - (no file)
O21 - SSODL: SetupKbd - {2ae8f4d6-d363-426b-a19e-af6342a9b377} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 17017 bytes

thanks
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {6E781301-9C7E-4E8D-807D-7E301CE6A7D7} - C:\WINDOWS\system32\xxyyxuRJ.dll (file missing)

Check and fix all the O18 entries in HijackThis related to Logitech except for the first one (see below). Leave that one alone.

O18 - Protocol: bw+0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O21 - SSODL: DrvVolume - {6ba87ec0-8566-41a7-90d3-7fe0b7aadcde} - (no file)
O21 - SSODL: SetupKbd - {2ae8f4d6-d363-426b-a19e-af6342a9b377} - (no file)


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
nt6142

nt6142

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok did what you asked here is the combo fix log....

let me know whats next...

ComboFix 08-04-11.1 - David Albin 2008-04-21 15:06:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.869 [GMT -4:00]
Running from: C:\Documents and Settings\David Albin\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-15 19:02 . 2008-04-15 20:16 83 --a------ C:\WINDOWS\wa.INI
2008-04-15 13:34 . 2008-03-29 14:45 1,146,232 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-04-15 13:34 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-04-15 13:34 . 2008-03-29 14:23 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-04-15 13:34 . 2008-03-29 14:35 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-04-15 13:34 . 2008-01-17 11:34 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-04-15 13:34 . 2008-03-29 14:31 75,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswSP.sys
2008-04-15 13:34 . 2008-03-29 14:27 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-04-15 13:34 . 2008-03-29 14:26 26,944 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-04-15 13:34 . 2008-03-29 14:29 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-04-15 13:34 . 2008-03-29 14:35 20,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswFsBlk.sys
2008-04-11 14:04 . 2008-04-11 14:04 <DIR> d-------- C:\Program Files\Panda Security
2008-04-11 09:49 . 2008-04-11 09:49 3,648 --a------ C:\WINDOWS\SYSTEM32\ypmnugac.dll
2008-04-11 08:20 . 2008-04-11 08:20 <DIR> d-------- C:\Team17
2008-04-11 06:49 . 2008-04-11 06:49 <DIR> d-------- C:\Program Files\Stardock
2008-04-11 06:49 . 2008-04-11 06:49 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-04-11 06:49 . 2008-04-11 06:53 162,432 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vidstub.sys
2008-04-11 04:39 . 2008-04-11 04:42 148 --a------ C:\WINDOWS\wininit.ini
2008-04-11 02:36 . 2008-04-11 02:36 3,648 --a------ C:\WINDOWS\SYSTEM32\hmrhjybk.dll
2008-04-10 04:20 . 2008-04-21 15:09 835,616 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-04-10 04:20 . 2008-04-17 22:42 10,316 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-04-10 04:17 . 2008-04-10 04:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-10 04:17 . 2008-04-10 04:18 4,212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-04-10 04:16 . 2008-04-10 04:16 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-10 04:15 . 2008-04-21 15:01 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-10 03:05 . 2008-04-11 07:25 <DIR> d-------- C:\Program Files\AnswersThatWork
2008-04-10 03:05 . 1998-04-24 00:00 368,912 --a------ C:\WINDOWS\SYSTEM32\vbar332.dll
2008-04-09 21:20 . 2008-04-09 21:20 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-09 21:16 . 2008-04-09 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Playtonium Games
2008-04-09 21:04 . 2008-04-15 19:46 <DIR> d-------- C:\Program Files\Pat Sajaks Lucky Letters TV Guide Edition
2008-04-09 20:51 . 2008-04-09 21:14 <DIR> d-------- C:\Documents and Settings\David Albin\Application Data\TmpRecentIcons
2008-04-09 20:09 . 2008-04-10 03:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-09 19:48 . 2008-04-09 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-09 19:47 . 2008-04-09 19:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-04-09 19:02 . 2008-04-09 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\tktavibi
2008-04-09 19:02 . 2008-04-09 19:02 98,304 --a------ C:\WINDOWS\SYSTEM32\nmrmbqts.exe
2008-04-07 21:09 . 2008-04-11 07:27 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-26 19:45 . 2008-03-26 19:45 <DIR> d-------- C:\Documents and Settings\David Albin\Application Data\Oberon Media
2008-03-26 19:45 . 2008-04-10 03:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-26 19:44 . 2008-03-26 19:44 <DIR> d-------- C:\Program Files\Oberon Media
2008-03-26 19:44 . 2008-03-26 22:05 <DIR> d-------- C:\Program Files\Juno
2008-03-26 19:44 . 2008-03-26 19:44 <DIR> d-------- C:\Program Files\Common Files\Oberon Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 14:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-15 16:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-11 19:06 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8973.sys
2008-04-10 07:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-31 00:47 --------- d-----w C:\Program Files\ShotOnline International
2008-03-30 23:53 --------- d-----w C:\Program Files\FastCrawl
2008-03-30 23:46 --------- d-----w C:\Program Files\eGames
2008-03-28 11:55 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-28 11:55 249,856 ------w C:\WINDOWS\Setup1.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-14 03:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-14 03:11 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-03-12 22:57 --------- d-----w C:\Program Files\VS Revo Group
2008-03-07 14:04 229,376 ----a-r C:\WINDOWS\SYSTEM32\SZBase5.dll
2008-03-03 18:16 33,920 ----a-r C:\WINDOWS\system32\drivers\SZKG.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-02-22 18:52 126,976 ----a-r C:\WINDOWS\SYSTEM32\IS3HTUI5.dll
2008-02-22 18:51 372,736 ----a-r C:\WINDOWS\SYSTEM32\IS3UI5.dll
2008-02-22 18:51 364,544 ----a-r C:\WINDOWS\SYSTEM32\IS3DBA5.dll
2008-02-22 18:50 61,440 ----a-r C:\WINDOWS\SYSTEM32\IS3Hks5.dll
2008-02-22 18:50 23,040 ----a-r C:\WINDOWS\SYSTEM32\IS3XDat5.dll
2008-02-22 18:50 192,512 ----a-r C:\WINDOWS\SYSTEM32\IS3Win325.dll
2008-02-22 18:49 94,208 ----a-r C:\WINDOWS\SYSTEM32\IS3Inet5.dll
2008-02-22 18:49 90,112 ----a-r C:\WINDOWS\SYSTEM32\IS3Svc5.dll
2008-02-22 18:45 708,608 ----a-r C:\WINDOWS\SYSTEM32\IS3Base5.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2006-06-19 10:39 894 -c--a-w C:\Program Files\hitmanbloodmoneydemo.lnk
2006-06-19 04:40 796,055,374 ----a-w C:\Program Files\hitmanbloodmoneydemo.zip
2006-01-10 22:05 266 --sh--w C:\Program Files\desktop.ini
2006-01-10 22:05 11,079 -c-ha-w C:\Program Files\folder.htt
2005-05-12 04:36 12,288 -c--a-w C:\WINDOWS\FONTS\RandFont.dll
.

((((((((((((((((((((((((((((( [email protected]_15.12.09.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-09 15:46:23 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
+ 2008-04-18 02:36:51 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
+ 2008-04-21 18:53:27 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_734.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-14 22:24 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-28 03:47 7573504]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 14:37 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-07-14 22:24:36 450560]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-14 22:23:27 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iM StartCenter.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iM StartCenter.lnk
backup=C:\WINDOWS\pss\iM StartCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp]
C:\PROGRA~1\McAfee.com\Shared\mcappins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a--c--- 2005-12-08 12:06 16384 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GTRipple]
C:\Program Files\GTDesktop\Plugins\GTRipple.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-05-12 00:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2003-01-30 19:55 196608 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
--a--c--- 2003-01-30 19:55 311296 C:\WINDOWS\system32\hphmon03.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a--c--- 2005-06-01 12:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a--c--- 2001-04-20 15:52 28672 C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2006-04-28 03:47 7573504 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
-ra--c--- 2006-04-28 03:47 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra--c--- 2006-04-28 03:47 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
--a--c--- 2007-04-05 12:53 898016 C:\Program Files\PCPitstop\Optimize\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]
--a------ 2007-12-12 18:50 38128 C:\program files\ncsoft\launcher\NCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-12 18:43 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-02-18 19:42 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a--c--- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"szserver"=2 (0x2)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"C:\\Program Files\\Great Game Products\\Bridge Baron 16\\Baron.exe"=
"C:\\Program Files\\Hasbro Interactive\\Clue\\Clue.exe"=
"C:\\magicg\\Magic\\Manalink.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\NeverwinterNights\\NWN\\nwmain.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2006-06-09 14:15]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 18:31]
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2003-01-30 19:55]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);C:\WINDOWS\system32\DRIVERS\LwAdiHid.sys [2004-08-03 23:39]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 15:10:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-21 15:11:27
ComboFix-quarantined-files.txt 2008-04-21 19:11:17
ComboFix2.txt 2008-04-11 19:13:07
Pre-Run: 51,473,117,696 bytes free
Post-Run: 51,449,235,968 bytes free
.
2008-04-09 02:06:01 --- E O F ---
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Are you having problems installing the recovery console? Go back to where you downloaded combofix and follow the instructions to install it. Slip the CD part...go with download instead. Download it and then just drag and drop that XP bootdisk file into Combofix to install it.

Open up C:\WINDOWS\wininit.ini and post the contents of that file here.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\SYSTEM32\ypmnugac.dll
C:\WINDOWS\SYSTEM32\hmrhjybk.dll
C:\WINDOWS\SYSTEM32\nmrmbqts.exe
Folder::
C:\Documents and Settings\All Users\Application Data\tktavibi

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far?
  • 0

#5
nt6142

nt6142

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Greyknight17,

first i shutdown the firewall...then i shutdown the anti virus software...but every time i used combofix on the pc a window opens that says installation failed...the it runs as normal. So i first used the xp fix file like you said and drug it onto the combofix exe then i used the cd method as well then i did make the script file and drag it onto the exe...it manipulated the files from the script....and rebooted...
pc runs much better although there is a lot of active on the harddrive when it boots up (the anti virus software failed to autostart also, when i checked msconfig to startup option for it was gone. i had to reinstall avast)



here is the .ini listing..

[rename]
c:\tempjunk8795.tmp=C:\WINDOWS\system32smp\msrc.exe
nul=c:\tempjunk5686.tmp
c:\tempjunk5686.tmp=C:\WINDOWS\SYSTEM32\xxyyxuRJ.dll_old

here is the combofix log:

ComboFix 08-04-20.5 - David Albin 2008-04-22 0:35:46.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.878 [GMT -4:00]
Running from: C:\Documents and Settings\David Albin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Albin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\SYSTEM32\hmrhjybk.dll
C:\WINDOWS\SYSTEM32\nmrmbqts.exe
C:\WINDOWS\SYSTEM32\ypmnugac.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\tktavibi
C:\WINDOWS\SYSTEM32\hmrhjybk.dll
C:\WINDOWS\SYSTEM32\nmrmbqts.exe
C:\WINDOWS\SYSTEM32\ypmnugac.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-15 19:02 . 2008-04-15 20:16 83 --a------ C:\WINDOWS\wa.INI
2008-04-11 14:31 . 2008-04-11 14:35 <DIR> d-------- C:\!KillBox
2008-04-11 14:04 . 2008-04-11 14:04 <DIR> d-------- C:\Program Files\Panda Security
2008-04-11 08:20 . 2008-04-11 08:20 <DIR> d-------- C:\Team17
2008-04-11 06:49 . 2008-04-11 06:49 <DIR> d-------- C:\Program Files\Stardock
2008-04-11 06:49 . 2008-04-11 06:49 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-04-11 06:49 . 2008-04-11 06:53 162,432 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vidstub.sys
2008-04-11 04:39 . 2008-04-11 04:42 148 --a------ C:\WINDOWS\wininit.ini
2008-04-10 04:20 . 2008-04-22 00:43 970,784 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-04-10 04:20 . 2008-04-22 00:39 12,404 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-04-10 04:17 . 2008-04-10 04:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-10 04:17 . 2008-04-10 04:18 4,212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-04-10 04:16 . 2008-04-10 04:16 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-10 04:15 . 2008-04-22 00:34 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-10 03:05 . 2008-04-11 07:25 <DIR> d-------- C:\Program Files\AnswersThatWork
2008-04-10 03:05 . 1998-04-24 00:00 368,912 --a------ C:\WINDOWS\SYSTEM32\vbar332.dll
2008-04-09 21:20 . 2008-04-09 21:20 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-09 21:16 . 2008-04-09 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Playtonium Games
2008-04-09 21:04 . 2008-04-15 19:46 <DIR> d-------- C:\Program Files\Pat Sajaks Lucky Letters TV Guide Edition
2008-04-09 20:51 . 2008-04-09 21:14 <DIR> d-------- C:\Documents and Settings\David Albin\Application Data\TmpRecentIcons
2008-04-09 20:09 . 2008-04-10 03:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-09 19:48 . 2008-04-09 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-09 19:47 . 2008-04-09 19:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-04-07 21:09 . 2008-04-11 07:27 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-26 19:45 . 2008-03-26 19:45 <DIR> d-------- C:\Documents and Settings\David Albin\Application Data\Oberon Media
2008-03-26 19:45 . 2008-04-10 03:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-26 19:44 . 2008-03-26 19:44 <DIR> d-------- C:\Program Files\Oberon Media
2008-03-26 19:44 . 2008-03-26 22:05 <DIR> d-------- C:\Program Files\Juno
2008-03-26 19:44 . 2008-03-26 19:44 <DIR> d-------- C:\Program Files\Common Files\Oberon Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 14:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-15 16:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-11 19:06 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8973.sys
2008-04-10 07:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-31 00:47 --------- d-----w C:\Program Files\ShotOnline International
2008-03-30 23:53 --------- d-----w C:\Program Files\FastCrawl
2008-03-30 23:46 --------- d-----w C:\Program Files\eGames
2008-03-28 11:55 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-28 11:55 249,856 ------w C:\WINDOWS\Setup1.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-14 03:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-14 03:11 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-03-12 22:57 --------- d-----w C:\Program Files\VS Revo Group
2008-03-07 14:04 229,376 ----a-r C:\WINDOWS\SYSTEM32\SZBase5.dll
2008-03-03 18:16 33,920 ----a-r C:\WINDOWS\system32\drivers\SZKG.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-02-22 18:52 126,976 ----a-r C:\WINDOWS\SYSTEM32\IS3HTUI5.dll
2008-02-22 18:51 372,736 ----a-r C:\WINDOWS\SYSTEM32\IS3UI5.dll
2008-02-22 18:51 364,544 ----a-r C:\WINDOWS\SYSTEM32\IS3DBA5.dll
2008-02-22 18:50 61,440 ----a-r C:\WINDOWS\SYSTEM32\IS3Hks5.dll
2008-02-22 18:50 23,040 ----a-r C:\WINDOWS\SYSTEM32\IS3XDat5.dll
2008-02-22 18:50 192,512 ----a-r C:\WINDOWS\SYSTEM32\IS3Win325.dll
2008-02-22 18:49 94,208 ----a-r C:\WINDOWS\SYSTEM32\IS3Inet5.dll
2008-02-22 18:49 90,112 ----a-r C:\WINDOWS\SYSTEM32\IS3Svc5.dll
2008-02-22 18:45 708,608 ----a-r C:\WINDOWS\SYSTEM32\IS3Base5.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2006-06-19 10:39 894 -c--a-w C:\Program Files\hitmanbloodmoneydemo.lnk
2006-06-19 04:40 796,055,374 ----a-w C:\Program Files\hitmanbloodmoneydemo.zip
2006-01-10 22:05 266 --sh--w C:\Program Files\desktop.ini
2006-01-10 22:05 11,079 -c-ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( [email protected]_15.12.09.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-22 04:40:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-02-09 04:05:37 2,048 -c--a-r C:\WINDOWS\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\msd82ico.exe
+ 2006-02-09 04:05:37 2,560 -c--a-r C:\WINDOWS\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\sbt.exe
+ 2006-02-09 04:05:37 2,048 -c--a-r C:\WINDOWS\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\wa32ico.exe
+ 2007-12-03 02:31:51 2,238 ----a-r C:\WINDOWS\Installer\{7EF15AAF-42AC-4CF6-B4B4-C4F0D1D92122}\ARPPRODUCTICON.exe
- 2008-02-09 15:46:23 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
+ 2008-04-18 02:36:51 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
+ 2007-12-03 02:22:23 2,238 ----a-r C:\WINDOWS\Installer\{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}\ARPPRODUCTICON.exe
+ 2006-01-17 23:51:44 2,378 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2001-07-14 21:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
+ 2004-08-04 12:00:00 2,000 -c--a-w C:\WINDOWS\SYSTEM\KEYBOARD.DRV
+ 2004-08-04 12:00:00 2,032 -c--a-w C:\WINDOWS\SYSTEM\MOUSE.DRV
+ 2004-08-04 12:00:00 1,744 -c--a-w C:\WINDOWS\SYSTEM\SOUND.DRV
+ 2004-08-04 12:00:00 2,176 -c--a-w C:\WINDOWS\SYSTEM\VGA.DRV
+ 2004-08-04 12:00:00 1,788 -c--a-w C:\WINDOWS\SYSTEM32\Dcache.bin
+ 2004-08-04 04:07:58 2,944 -c--a-w C:\WINDOWS\SYSTEM32\dllcache\drmkaud.sys
+ 2004-08-04 12:00:00 2,000 -c--a-w C:\WINDOWS\SYSTEM32\dllcache\keyboard.drv
+ 2004-08-04 12:00:00 2,560 -c--a-w C:\WINDOWS\SYSTEM32\dllcache\lz32.dll
+ 2004-08-04 12:00:00 2,032 -c--a-w C:\WINDOWS\SYSTEM32\dllcache\mouse.drv
+ 2004-08-04 12:00:00 2,944 -c--a-w C:\WINDOWS\SYSTEM32\dllcache\null.sys
+ 2004-08-04 12:00:00 1,744 -c--a-w C:\WINDOWS\SYSTEM32\dllcache\sound.drv
+ 2004-08-04 12:00:00 2,176 -c--a-w C:\WINDOWS\SYSTEM32\dllcache\vga.drv
+ 2004-08-04 12:00:00 2,864 -c--a-w C:\WINDOWS\SYSTEM32\dllcache\winsock.dll
+ 2004-08-04 12:00:00 2,112 -c--a-w C:\WINDOWS\SYSTEM32\dllcache\winspool.exe
+ 2004-08-04 12:00:00 2,736 -c--a-w C:\WINDOWS\SYSTEM32\dllcache\wowdeb.exe
+ 2004-08-04 04:07:58 2,944 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\drmkaud.sys
+ 2004-08-04 12:00:00 2,944 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\null.sys
+ 2004-08-04 12:00:00 2,000 -c--a-w C:\WINDOWS\SYSTEM32\keyboard.drv
+ 2004-08-04 12:00:00 2,560 ----a-w C:\WINDOWS\SYSTEM32\lz32.dll
+ 2004-08-04 12:00:00 2,032 -c--a-w C:\WINDOWS\SYSTEM32\mouse.drv
+ 2004-08-04 12:00:00 1,744 -c--a-w C:\WINDOWS\SYSTEM32\sound.drv
+ 2004-08-04 12:00:00 2,176 -c--a-w C:\WINDOWS\SYSTEM32\vga.drv
+ 2008-01-17 01:32:56 2,272 ----a-w C:\WINDOWS\SYSTEM32\w95inf16.dll
+ 2004-08-04 12:00:00 2,864 -c--a-w C:\WINDOWS\SYSTEM32\winsock.dll
+ 2004-08-04 12:00:00 2,112 -c--a-w C:\WINDOWS\SYSTEM32\winspool.exe
+ 2004-08-04 12:00:00 2,736 -c--a-w C:\WINDOWS\SYSTEM32\wowdeb.exe
+ 2007-05-31 04:03:30 1,628 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2008-04-22 04:40:48 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_70c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-14 22:24 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-28 03:47 7573504]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-07-14 22:24:36 450560]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-14 22:23:27 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iM StartCenter.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iM StartCenter.lnk
backup=C:\WINDOWS\pss\iM StartCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp]
C:\PROGRA~1\McAfee.com\Shared\mcappins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a--c--- 2005-12-08 12:06 16384 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GTRipple]
C:\Program Files\GTDesktop\Plugins\GTRipple.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-05-12 00:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2003-01-30 19:55 196608 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
--a--c--- 2003-01-30 19:55 311296 C:\WINDOWS\system32\hphmon03.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a--c--- 2005-06-01 12:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a--c--- 2001-04-20 15:52 28672 C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2006-04-28 03:47 7573504 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
-ra--c--- 2006-04-28 03:47 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra--c--- 2006-04-28 03:47 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
--a--c--- 2007-04-05 12:53 898016 C:\Program Files\PCPitstop\Optimize\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]
--a------ 2007-12-12 18:50 38128 C:\program files\ncsoft\launcher\NCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-12 18:43 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-02-18 19:42 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a--c--- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"szserver"=2 (0x2)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"C:\\Program Files\\Great Game Products\\Bridge Baron 16\\Baron.exe"=
"C:\\Program Files\\Hasbro Interactive\\Clue\\Clue.exe"=
"C:\\magicg\\Magic\\Manalink.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\NeverwinterNights\\NWN\\nwmain.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2006-06-09 14:15]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 18:31]
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2003-01-30 19:55]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);C:\WINDOWS\system32\DRIVERS\LwAdiHid.sys [2004-08-03 23:39]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 00:41:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-04-22 0:46:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 04:45:52
ComboFix2.txt 2008-04-21 19:11:29
ComboFix3.txt 2008-04-11 19:13:07

Pre-Run: 51,401,434,112 bytes free
Post-Run: 51,383,322,112 bytes free

273 --- E O F --- 2008-04-09 02:06:01
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up C:\WINDOWS\wininit.ini and delete everything inside of it. Copy/paste the below two lines into the file and save it:

[rename]
nul=


Confirm that the following does not exist:

c:\tempjunk8795.tmp
C:\WINDOWS\system32smp\
c:\tempjunk5686.tmp
c:\tempjunk5686.tmp
C:\WINDOWS\SYSTEM32\xxyyxuRJ.dll_old


If any are found, delete them.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.


Post a new HijackThis log. We'll try disabling some startup programs to see if it helps with the constant hard drive activity issue.
  • 0

#7
nt6142

nt6142

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Greetings,
none of the list files were present...
i ran panda online scan and here is the log:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-23 13:08:51
PROTECTIONS: 1
MALWARE: 49
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
avast! antivirus 4.8.1169 [VPS 080422-1] 4.8.1169 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.trafficmp.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.tribalfusion.com/]
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.www.myaffiliateprogram.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.com.com/]
00167677 Cookie/WebPower TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.xiti.com/]
00167709 Cookie/fe.lea.lycos TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[fe.lea.lycos.fr/]
00167744 Cookie/GoStats TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.toplist.cz/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[ad.yieldmanager.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.bs.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[www.burstbeacon.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[server.iad.liveperson.net/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[stat.onestat.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.pointroll.com/]
00170540 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[de.uol.com.br/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.realmedia.com/]
00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.uol.com.br/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00175950 Cookie/cs.sexcounter TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.go.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[searchportal.information.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.atwola.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.addynamix.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.addynamix.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.addynamix.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.addynamix.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.addynamix.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.addynamix.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.addynamix.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Application Data\Mozilla\Firefox\Profiles\mb20y0qo.default\cookies.txt[.ads.addynamix.com/]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\David Albin\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP391\A0091907.exe[327882R2FWJFW\nircmd.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP391\A0091909.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP387\A0084984.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP391\A0091889.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP387\A0084976.sys
02887532 Cookie/XPAntivirusPro TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][1].txt
02908396 Trj/Downloader.TCA Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP370\A0079491.exe
02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP370\A0079498.dll
02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\WINDOWS\Installer\{4ce1a7c7-e7e4-431b-b549-e06fa54ebeaa}\zip.dll
02909975 Cookie/CookingLuck TrackingCookie No 0 Yes No C:\Documents and Settings\David Albin\Cookies\[email protected][2].txt
02913433 Adware/VideoAccessCodec Adware No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP367\A0078379.exe
02913433 Adware/VideoAccessCodec Adware No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP367\A0078458.exe
02913545 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP377\A0081831.dll
02913930 Trj/Downloader.TIT Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP370\A0079490.exe
02913930 Trj/Downloader.TIT Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP370\A0079488.exe
02913930 Trj/Downloader.TIT Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP370\A0079489.exe
02913930 Trj/Downloader.TIT Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP370\A0079497.exe
02914307 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\catchme2008-04-11_150812.28.zip[Documents and Settings/David Albin/Desktop/catchme.zip][opnlKARI.dll]
02914400 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP391\A0091876.dll
02914400 Spyware/Vundo Spyware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ypmnugac.dll.vir
02914400 Spyware/Vundo Spyware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hmrhjybk.dll.vir
02914400 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP391\A0091874.dll
02915082 Spyware/Virtumonde Spyware No 1 Yes No C:\!KillBox\geBuUnKC.dll( 3)
02915082 Spyware/Virtumonde Spyware No 1 Yes No C:\!KillBox\geBuUnKC.dll
02915082 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP385\A0082027.dll
02915082 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP387\A0084957.dll
02915082 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP387\A0084958.dll
02915082 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\geBuUnKC.dll.vir
02915082 Spyware/Virtumonde Spyware No 1 Yes No C:\!KillBox\geBuUnKC.dll( 2)
02915082 Spyware/Virtumonde Spyware No 1 Yes No C:\!KillBox\geBuUnKC.dll( 1)
02915082 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\awtqrstq.dll.vir
02917693 Adware/MalwareAlarm Adware No 1 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP385\A0082015.exe
02917693 Adware/MalwareAlarm Adware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nmrmbqts.exe.vir
02917693 Adware/MalwareAlarm Adware No 1 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP391\A0091875.exe
02927394 Adware/MalwareAlarm Adware No 1 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP370\A0079492.exe
02927518 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wentqwcr.dll.vir
02927518 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{74AA0893-A494-423B-B975-10DA52470E60}\RP387\A0084959.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location p
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description p
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================



and here is the new hijack this log (thanks again for the help) :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:31 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\David Albin\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescamp...GamesCampus.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...8/pool/pool.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v46/wof/wof.cab
O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://origin.www.sh...HLGLauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15021/CTPID.cab
O18 - Protocol: bw+0 - {28DD45ED-1F51-4CF9-96D7-C6A2CB1332D4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5234 bytes
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete this folder:

C:\!KillBox\

Go into Firefox->Tools->Clear Private Data to clear out all the temp files.

Not sure what else we can do from there. Was his PC sluggish already before this infection? Did you try running disk defragmenter on it to see if it helps?
  • 0

#9
nt6142

nt6142

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
deleted folder ..avast sent a trojan warning when i opened the folder it was getbunked...defragmenting now
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
The system should be pretty much clean at this point...

Go to Start->Run and copy/paste in combofix /u to remove it. It will delete all the files/folders it created and also reset your system restore points.
  • 0

#11
nt6142

nt6142

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok sounds great to me....thanks for the assist...my friend better appreciate it too...or ill smash his pc with a ball peen hammer..

THAT HE CAN BLAME ON ME!!


TYvm.
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP