Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

win32.TRatBHO - Removal Help Needed. [CLOSED]


  • This topic is locked This topic is locked

#1
gavp1979

gavp1979

    New Member

  • Member
  • Pip
  • 1 posts
I have been infected with win3.tratBHO, after reading other peoples posts it seems that the fix needs to be tailored to each case. I have run ComboFix and HiJackThis and inclused the log files of each below. It would be much appreciated if somebody could have alook at these and advise me on the next action to take.

Also, I have run these in Safe Mode and now can not seem to boot windows into normal mode again!

Thanks in Advance, Gav.

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:51, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wireless LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
O4 - HKCU\..\RunOnce: [CleanUp!] c:\program files\its\clean\Cleanup.exe /WindowsRestart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206656046117
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: vtUmJCUN - vtUmJCUN.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6424 bytes


ComboFix Log

ComboFix 08-04-17.1 - Administrator 2008-04-19 10:38:05.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.305 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\oorAaccf.ini
C:\WINDOWS\system32\oorAaccf.ini2
C:\WINDOWS\system32\vtUmJCUN.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 10:33 . 2008-04-19 10:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 19:55 . 2008-04-18 19:55 <DIR> d-------- C:\Temp
2008-04-18 19:53 . 2008-04-18 19:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-04-18 19:35 . 2008-04-18 19:35 <DIR> d-------- C:\Documents and Settings\Administrator\Temporary Internet Files
2008-04-18 19:34 . 2008-04-18 19:34 <DIR> d-------- C:\Documents and Settings\Owner
2008-04-18 19:34 . 2008-04-18 19:34 <DIR> d-------- C:\Documents and Settings\Guest
2008-04-18 19:33 . 2008-04-19 10:30 32 --a------ C:\WINDOWS\CD_Start.INI
2008-04-18 19:32 . 2008-04-18 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-18 19:31 . 2008-04-18 19:31 <DIR> d-------- C:\Program Files\its
2008-04-18 19:29 . 2008-04-18 19:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2008-04-18 19:15 . 2008-04-18 19:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2008-04-18 19:13 . 2008-04-18 20:58 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-18 19:13 . 2008-04-19 10:53 24,576 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-04-16 19:38 . 2008-04-16 19:38 <DIR> d-------- C:\Documents and Settings\Gav\Application Data\Grisoft
2008-04-16 19:37 . 2008-04-16 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-16 19:37 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-15 20:30 . 2008-04-15 23:00 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-04-14 03:01 . 2008-04-14 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-13 17:54 . 2008-04-13 17:54 <DIR> d-------- C:\Program Files\PowerQuest
2008-04-13 07:16 . 2008-04-13 20:37 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-12 18:11 . 2008-04-12 18:11 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-04-12 18:04 . 2008-04-12 18:04 <DIR> d-------- C:\Documents and Settings\Gav\Application Data\Nero
2008-04-12 17:47 . 2008-04-12 17:47 <DIR> d-------- C:\Program Files\Nero
2008-04-12 17:47 . 2008-04-12 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-09 21:45 . 2008-04-09 21:45 <DIR> d-------- C:\Program Files\eRightSoft
2008-04-07 20:29 . 2003-04-25 10:10 536,576 --a------ C:\WINDOWS\system32\Tx32.dll
2008-04-07 20:28 . 2008-04-07 20:45 <DIR> d-------- C:\Program Files\Testbase32
2008-04-07 20:15 . 2008-04-07 20:15 21,504 --a------ C:\WINDOWS\jestertb.dll
2008-04-05 18:26 . 2008-04-05 18:29 <DIR> d-------- C:\Program Files\Avi2Dvd
2008-04-05 18:03 . 2008-04-05 18:03 <DIR> d-------- C:\divx
2008-04-05 17:32 . 2008-04-05 17:32 <DIR> d-------- C:\Documents and Settings\Gav\Application Data\DivX
2008-04-05 15:14 . 2008-03-29 18:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-05 15:14 . 2008-03-29 18:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-05 08:54 . 2008-04-09 22:39 <DIR> d-------- C:\Program Files\DivX
2008-04-04 12:15 . 2008-04-04 12:15 30 --a------ C:\WINDOWS\TEXTEASE.INI
2008-03-31 22:25 . 2008-03-31 22:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 22:25 . 2008-03-31 22:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 22:25 . 2008-03-31 22:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 22:25 . 2008-03-31 22:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 22:25 . 2008-03-31 22:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 22:25 . 2008-03-31 22:25 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-29 19:16 . 2008-03-29 19:16 <DIR> d-------- C:\Program Files\ConsumerChoices.co.uk
2008-03-29 11:12 . 2008-04-18 19:02 11,700,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-29 11:12 . 2008-04-18 19:02 139,232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-29 11:03 . 2008-03-29 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-29 11:03 . 2008-03-29 11:08 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-03-29 11:02 . 2008-03-14 00:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-03-29 11:02 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-03-29 11:01 . 2008-03-29 11:02 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-03-29 11:01 . 2008-03-29 11:01 <DIR> d-------- C:\Program Files\Zone Labs
2008-03-29 11:01 . 2008-03-14 00:11 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-03-29 11:01 . 2008-04-19 10:45 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-03-29 11:00 . 2008-04-19 10:53 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-03-28 01:24 . 2008-03-28 01:24 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-28 00:14 . 2007-07-09 14:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-27 23:46 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-27 23:46 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-27 23:46 . 2006-08-21 13:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-27 23:17 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-27 23:17 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-27 23:17 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-27 23:17 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-27 23:17 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-27 23:05 . 2008-04-10 03:18 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-27 22:34 . 2008-03-27 22:48 <DIR> d-------- C:\Program Files\Wireless LAN Utility
2008-03-27 22:34 . 2004-12-01 19:35 438,912 --a------ C:\WINDOWS\system32\drivers\TNET1130.sys
2008-03-27 22:34 . 2004-11-04 19:55 94,192 --a------ C:\WINDOWS\system32\drivers\FwRad17.bin
2008-03-27 22:34 . 2004-11-04 19:55 92,836 --a------ C:\WINDOWS\system32\drivers\FwRad16.bin
2008-03-27 22:34 . 2004-12-01 19:29 69,632 --a------ C:\WINDOWS\system32\TnetWCoInst.dll
2008-03-24 11:07 . 2006-10-04 15:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-03-24 11:07 . 2006-10-04 15:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-03-24 11:07 . 2006-10-04 15:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-03-24 11:06 . 2008-03-24 11:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-24 11:05 . 2008-03-24 11:05 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-21 21:30 . 2008-03-21 21:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-03-21 21:30 . 2008-03-21 21:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-03-21 21:30 . 2008-03-21 21:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 17:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 16:51 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-12 16:02 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-12 15:57 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-12 15:57 --------- d-----w C:\Program Files\ahead
2008-04-05 17:27 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-08 15:42 --------- d-----w C:\Program Files\Research Machines
2008-03-08 15:42 --------- d-----w C:\Program Files\directx
2008-03-08 15:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Research Machines
2008-03-08 15:39 --------- d-----w C:\Program Files\Abacus Evolve Teachers
2008-03-08 15:25 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-03-08 15:20 --------- d-----w C:\Documents and Settings\Gav\Application Data\InstallShield
2008-03-04 14:42 --------- d-----w C:\Program Files\Reasonable NoClone 2007 Enterprise
2008-03-04 14:42 --------- d-----w C:\Documents and Settings\Gav\Application Data\Reasonable Software House Ltd
2008-02-28 16:38 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-02-26 15:14 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2008-02-21 02:05 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-21 02:05 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-21 02:05 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2005-07-14 11:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 14:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 11:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
2005-02-28 12:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" [2008-02-28 17:07 19752]
"CleanUp!"="c:\program files\its\clean\Cleanup.exe" [2005-02-10 16:39 323584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 10:17 102400]
"Cmaudio"="cmicnfg.cpl" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"openFileBackup"="" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 18:37 79224]
"TI WLAN"="C:\Program Files\Wireless LAN Utility\TIWLANCu.exe" [2005-03-14 12:01 1150976]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-14 00:11 919016]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-24 19:58:21 113664]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-07-29 16:14:16 499773]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUmJCUN]
vtUmJCUN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Virtual PC\\Virtual PC.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 TNET1130;802.11 WLAN;C:\WINDOWS\system32\DRIVERS\TNET1130.sys [2004-12-01 19:35]
R3 xpvcom;XPVCOM Port;C:\WINDOWS\system32\DRIVERS\XPVCOM.sys [2007-03-23 02:00]
S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
S2 MSSQL$IPLANNERFRAMEWK;MSSQL$IPLANNERFRAMEWK;C:\Program Files\Microsoft SQL Server\MSSQL$IPLANNERFRAMEWK\Binn\sqlservr.exe [2002-12-17 18:26]
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 00:56]
S2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S3 SQLAgent$IPLANNERFRAMEWK;SQLAgent$IPLANNERFRAMEWK;C:\Program Files\Microsoft SQL Server\MSSQL$IPLANNERFRAMEWK\Binn\sqlagent.EXE [2002-12-17 18:23]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 10:52:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
.
**************************************************************************
.
Completion time: 2008-04-19 11:01:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 10:01:09

Pre-Run: 13,928,951,808 bytes free
Post-Run: 13,830,746,112 bytes free
.
2008-04-14 02:01:45 --- E O F ---

Attached Files


  • 0

Advertisements


#2
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Welcome to the site, Sorry about the delay.

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)

Can you please post a freshly scanned Hijack This log. This is because your computers condidtion may have changed.
  • 0

#3
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP