Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan horse Generic10.AOWW [RESOLVED]


  • This topic is locked This topic is locked

#1
bretddog

bretddog

    New Member

  • Member
  • Pip
  • 5 posts
Hi!
Please, I need some help to remove this trojan. I use AVG 7.5 Free edition, which detected this one.
Tried to remove with AVG, Avast and Ad-aware, but didn't help, so I need some expert advise...
I followed the steps in the sticker post, but did not remove this virus.

At the moment I put in the AVG vault>
Trojan horse Generic10.AOWW (several of this one)
Trojan horse Downloader.Tiny.H Detected (one of this)
Trojan horse SHeur.BTTO
The file names are random names with .exe extension, like Xflsyf28.exe

I'm running XP Pro on a Lenovo Thinkpad T61p laptop.

Must say I have great respect for You folks, helping others with these problems. And I hope you are able to help me with this one too.. :)

Here are logs from Activescan (the online one), and hijackthis:


Activescan log:
;***********************************************************************************************************************************************************************************ANALYSIS: 2008-07-16 15:23:51PROTECTIONS: 1MALWARE: 31SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription                                  Version                       Active    Updated;===================================================================================================================================================================================AVG 7.5.526                                  7.5.526                       Yes       Yes;===================================================================================================================================================================================MALWAREId        Description                        Type                Active    Severity  Disinfectable  Disinfected Location;===================================================================================================================================================================================00139060  Cookie/Casalemedia                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.casalemedia.com/]00139060  Cookie/Casalemedia                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.casalemedia.com/]00139060  Cookie/Casalemedia                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.casalemedia.com/]00139060  Cookie/Casalemedia                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.casalemedia.com/]00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.doubleclick.net/]00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.atdmt.com/]00145393  Cookie/Tradedoubler                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.tradedoubler.com/]00145393  Cookie/Tradedoubler                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.tradedoubler.com/]00145393  Cookie/Tradedoubler                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.tradedoubler.com/]00145393  Cookie/Tradedoubler                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.tradedoubler.com/]00145393  Cookie/Tradedoubler                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.tradedoubler.com/]00145405  Cookie/RealMedia                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.247realmedia.com/]00145457  Cookie/FastClick                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.fastclick.net/]00145457  Cookie/FastClick                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.fastclick.net/]00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.tribalfusion.com/]00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.tribalfusion.com/]00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.tribalfusion.com/]00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.tribalfusion.com/]00145738  Cookie/Mediaplex                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.mediaplex.com/]00145869  Cookie/SpyLog                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.spylog.com/]00167642  Cookie/Com.com                     TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.com.com/]00167647  Cookie/Yadro                       TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.yadro.ru/]00167753  Cookie/Statcounter                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.statcounter.com/]00167753  Cookie/Statcounter                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.statcounter.com/]00167753  Cookie/Statcounter                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.statcounter.com/]00167753  Cookie/Statcounter                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.statcounter.com/]00167753  Cookie/Statcounter                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.statcounter.com/]00167753  Cookie/Statcounter                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.statcounter.com/]00167760  Cookie/Hitslink                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[counter.hitslink.com/]00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[ad.yieldmanager.com/]00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[ad.yieldmanager.com/]00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[ad.yieldmanager.com/]00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[ad.yieldmanager.com/]00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[ad.yieldmanager.com/]00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[ad.yieldmanager.com/]00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[ad.yieldmanager.com/]00168061  Cookie/Apmebf                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.apmebf.com/]00168076  Cookie/BurstNet                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.burstnet.com/]00168076  Cookie/BurstNet                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.burstnet.com/]00168090  Cookie/Serving-sys                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.serving-sys.com/]00168090  Cookie/Serving-sys                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.serving-sys.com/]00168090  Cookie/Serving-sys                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.serving-sys.com/]00168090  Cookie/Serving-sys                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.serving-sys.com/]00168090  Cookie/Serving-sys                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.serving-sys.com/]00168090  Cookie/Serving-sys                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.serving-sys.com/]00168093  Cookie/Serving-sys                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.bs.serving-sys.com/]00168109  Cookie/Adtech                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.adtech.de/]00168110  Cookie/Server.iad.Liveperson       TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[server.iad.liveperson.net/hc/58032969]00168110  Cookie/Server.iad.Liveperson       TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[server.iad.liveperson.net/hc/80724028]00168110  Cookie/Server.iad.Liveperson       TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[server.iad.liveperson.net/hc/79438661]00168110  Cookie/Server.iad.Liveperson       TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[server.iad.liveperson.net/]00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.advertising.com/]00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.advertising.com/]00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.advertising.com/]00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.advertising.com/]00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.advertising.com/]00170304  Cookie/WebtrendsLive               TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[statse.webtrendslive.com/]00170495  Cookie/PointRoll                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.ads.pointroll.com/]00170495  Cookie/PointRoll                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.ads.pointroll.com/]00170495  Cookie/PointRoll                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.ads.pointroll.com/]00170495  Cookie/PointRoll                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.ads.pointroll.com/]00170495  Cookie/PointRoll                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.ads.pointroll.com/]00170495  Cookie/PointRoll                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.ads.pointroll.com/]00170495  Cookie/PointRoll                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.ads.pointroll.com/]00170554  Cookie/Overture                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.overture.com/]00170554  Cookie/Overture                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.overture.com/]00170556  Cookie/RealMedia                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.realmedia.com/]00170556  Cookie/RealMedia                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.realmedia.com/]00170556  Cookie/RealMedia                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.realmedia.com/]00171982  Cookie/QuestionMarket              TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.questionmarket.com/]00171982  Cookie/QuestionMarket              TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.questionmarket.com/]00172221  Cookie/Zedo                        TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.zedo.com/]00172221  Cookie/Zedo                        TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.zedo.com/]00173520  Cookie/Bluestreak                  TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.bluestreak.com/]00184846  Cookie/Adrevolver                  TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.adrevolver.com/]00184846  Cookie/Adrevolver                  TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.adrevolver.com/]00262020  Cookie/Atwola                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7b8xwwj8.default\cookies.txt[.atwola.com/]01362839  Generic Trojan                     Virus/Trojan        No        0         Yes            No           C:\Program Files\CoolSpeech\realtime.dll;===================================================================================================================================================================================SUSPECTSSent      Location                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              zK;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId        Severity   Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                zK;===================================================================================================================================================================================  182048  HIGH       MS07-069                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK  176382  HIGH       MS07-057                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK  170906  HIGH       MS07-045                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK  170904  HIGH       MS07-043                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK  164913  HIGH       MS07-033                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK  160623  HIGH       MS07-027                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK  150253  HIGH       MS07-016                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK  141030  HIGH       MS06-072                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK  137568  HIGH       MS06-067                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK  126083  HIGH       MS06-042                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK  120814  HIGH       MS06-021                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK  114664  HIGH       MS06-013                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   zK;===================================================================================================================================================================================

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:49:33 PM, on 7/17/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exeC:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exeC:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\WINDOWS\system32\RunDLL32.exeC:\Program Files\Winamp\winampa.exeC:\Program Files\D-Tools\daemon.exeC:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exeC:\Program Files\Lenovo\HOTKEY\TPONSCR.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\ThinkPad\Bluetooth Software\BTTray.exeC:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exeC:\Program Files\InterVideo\WinDVR\WinScheduler.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\WiQuest\WiQuest WUSB\WQ_Tray.exeC:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter.exeC:\WINDOWS\system32\acs.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Java\jre1.6.0_05\bin\jucheck.exeC:\Program Files\Windows Live\Messenger\usnsvc.exeC:\PROGRA~1\MOZILL~1\FIREFOX.EXEC:\PROGRA~1\Grisoft\AVG7\avgwb.datC:\PROGRA~1\Grisoft\AVG7\avgvv.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\Administrator\Desktop\Antivirus Tool\HijackThis.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://yahoo.com/"]http://yahoo.com/[/url]O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetectO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /trayO4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startupO4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exeO4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /rO4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [PD0870 STISvc] RunDLL32.exe P0870Pin.dll,RunDLL32EP 513O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKillO4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Startup: ScreenHunter 4.0 Free.lnk = C:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter.exeO4 - Global Startup: Bluetooth.lnk = ?O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exeO4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exeO4 - Global Startup: Ultrawideband Control Center.lnk = C:\Program Files\WiQuest\WiQuest WUSB\WQ_Tray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htmO8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLO23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe--End of file - 8845 bytes

Edited by bretddog, 18 July 2008 - 07:57 PM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Uninstall CoolSpeech via the Add/Remove Programs panel.

Delete this folder:

C:\Program Files\CoolSpeech\

Go into Firefox->Tools->Clear Private Data and hit OK to delete all your cookie and temp files.

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
bretddog

bretddog

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks greyknight17!! :)

Here are the new logs:


Database version _linenums:962'>Malwarebytes' Anti-Malware 1.20Database version: 962Windows 5.1.2600 Service Pack 27:52:55 PM 7/17/2008mbam-log-7-17-2008 (19-52-55).txtScan type: Full Scan (C:\|F:\|)Objects scanned: 87804Time elapsed: 22 minute(s), 1 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Program Files\WinRAR\Default.SFX (Rogue.Installer) -> Quarantined and deleted successfully.

ComboFix 08-07-15.4 - Administrator 2008-07-17 20:14:11.1 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.277 [GMT 2:00]Running from: C:\Documents and Settings\Administrator\Desktop\Antivirus Tool\ComboFix.exe * Created a new restore point.(((((((((((((((((((((((((   Files Created from 2008-06-17 to 2008-07-17  ))))))))))))))))))))))))))))))).2008-07-17 17:49 . 2008-07-17 17:49	<DIR>	d--------	C:\Program Files\Trend Micro2008-07-16 22:53 . 2008-07-16 22:53	<DIR>	d--------	C:\Program Files\Alwil Software2008-07-16 13:14 . 2008-07-16 13:14	<DIR>	d--------	C:\Program Files\Panda Security2008-07-16 13:14 . 2008-06-19 17:24	28,544	--a------	C:\WINDOWS\system32\drivers\pavboot.sys2008-07-16 11:44 . 2008-07-16 16:33	<DIR>	d--------	C:\Program Files\SUPERAntiSpyware2008-07-16 11:44 . 2008-07-16 11:44	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com2008-07-16 11:44 . 2008-07-16 11:44	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com2008-07-16 11:43 . 2008-07-16 11:43	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard2008-07-16 11:32 . 2008-07-17 19:29	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware2008-07-16 11:32 . 2008-07-16 11:32	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-07-16 11:32 . 2008-07-16 11:32	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Malwarebytes2008-07-16 11:32 . 2008-07-07 17:35	34,296	--a------	C:\WINDOWS\system32\drivers\mbamcatchme.sys2008-07-16 11:32 . 2008-07-07 17:35	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys2008-07-16 11:31 . 2008-07-16 11:31	<DIR>	d--------	C:\Program Files\Common Files\Download Manager2008-07-16 01:20 . 2008-07-16 01:20	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Lavasoft2008-07-16 01:19 . 2008-07-16 01:19	<DIR>	d--------	C:\Program Files\Lavasoft2008-07-15 17:16 . 2008-07-17 18:08	<DIR>	dr-h-----	C:\$VAULT$.AVG2008-07-14 13:12 . 2008-07-14 13:12	0	--a------	C:\WINDOWS\system32\Tnbp32x7.exe.a_a2008-07-07 17:07 . 2008-07-07 17:07	<DIR>	d--------	C:\Program Files\NinjaTrader 6.52008-06-17 16:58 . 2008-06-17 16:58	98,304	--a------	C:\WINDOWS\system32\NtDirect.dll.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-07-17 17:23	---------	d-----w	C:\Program Files\CoolSpeech2008-07-17 06:00	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\AVG72008-07-15 22:49	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Skype2008-07-14 17:26	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\uTorrent2008-07-09 11:15	---------	d-----w	C:\Program Files\Wisdom-soft ScreenHunter2008-06-06 23:32	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\BSplayer PRO2008-06-06 23:29	---------	d-----w	C:\Program Files\DVD Region+CSS Free2008-06-06 23:13	---------	d-----w	C:\Program Files\Elaborate Bytes2008-06-06 23:10	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\InterVideo2008-06-06 23:09	---------	d--h--w	C:\Program Files\InstallShield Installation Information2008-06-06 23:09	---------	d-----w	C:\Program Files\InterVideo2008-06-06 23:09	---------	d-----w	C:\Documents and Settings\All Users\Application Data\InterVideo2008-05-23 22:00	---------	d-----w	C:\Program Files\Winamp2008-05-23 22:00	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Winamp.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56 15360]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-07-16 16:33 1506544][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-10 23:03 8495104]"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-10 23:03 81920]"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 04:30 110592]"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 04:30 512000]"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-12-11 20:11 1044480]"PSQLLauncher"="C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" [2007-08-15 01:32 48904]"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-01-24 20:21 66928]"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-12-20 04:04 60704]"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 03:33 243248]"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 09:08 580096]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 20:49 36352]"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]"RegKillElbyCheck"="C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 08:33 45056]"RegKillTray"="C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-11-27 23:11 49152]"nwiz"="nwiz.exe" [2007-12-10 23:03 1626112 C:\WINDOWS\system32\nwiz.exe]"PD0870 STISvc"="P0870Pin.dll" [2005-05-04 19:00 36864 C:\WINDOWS\system32\P0870Pin.dll][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-13 03:54 219136]C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ScreenHunter 4.0 Free.lnk - C:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter.exe [2008-03-11 05:17:22 409600]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-26 16:58:10 576104]InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-06-07 01:08:27 86016]InterVideo WinScheduler.lnk - C:\Program Files\InterVideo\WinDVR\WinScheduler.exe [2008-06-07 01:08:27 65536]Ultrawideband Control Center.lnk - C:\Program Files\WiQuest\WiQuest WUSB\WQ_Tray.exe [2007-08-24 11:41:42 1821752][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoSMHelp"= 01000000"NoSMMyDocs"= 01000000"NoSMMyPictures"= 01000000[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-16 16:32 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-07-16 16:33 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]2007-08-15 01:54 89600 C:\WINDOWS\system32\psqlpwd.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]2006-09-07 02:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]2007-12-15 02:36 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\WINDOWS\\system32\\javaw.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\Program Files\\Conference\\Conference.dll"="C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\Program Files\\NinjaTrader 6.5\\bin\\NinjaTrader.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe"=R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-15 01:46]R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys [2002-11-27 23:46]R3 WQ_USBHWA;WiQuest Host Wire Adapter driver;C:\WINDOWS\system32\DRIVERS\WQ_hwa.sys [2007-08-24 11:35]R3 WQ_USBRCI;WiQuest UltraWideBand driver;C:\WINDOWS\system32\DRIVERS\WQ_rci.sys [2007-08-24 11:35]R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-07-04 04:46]S3 P0870Dev;Creative WebCam Live! Motion;C:\WINDOWS\system32\DRIVERS\P0870Dev.sys [2005-06-29 19:00]S3 WQ_USBLOAD;WiQuest WUSB Loader driver;C:\WINDOWS\system32\DRIVERS\WQ_ldr.sys [2007-08-24 11:35]S4 msvsmon90;Visual Studio 2008 Remote Debugger;C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 08:58].Contents of the 'Scheduled Tasks' folder"2008-07-16 22:25:02 C:\WINDOWS\Tasks\At1.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 07:00:00 C:\WINDOWS\Tasks\At10.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 08:00:00 C:\WINDOWS\Tasks\At11.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 09:00:00 C:\WINDOWS\Tasks\At12.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 10:00:00 C:\WINDOWS\Tasks\At13.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 11:00:00 C:\WINDOWS\Tasks\At14.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 12:00:00 C:\WINDOWS\Tasks\At15.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 13:00:00 C:\WINDOWS\Tasks\At16.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 14:00:00 C:\WINDOWS\Tasks\At17.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 15:00:00 C:\WINDOWS\Tasks\At18.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 16:00:00 C:\WINDOWS\Tasks\At19.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-16 23:00:01 C:\WINDOWS\Tasks\At2.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 17:00:00 C:\WINDOWS\Tasks\At20.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 18:00:00 C:\WINDOWS\Tasks\At21.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-16 19:00:01 C:\WINDOWS\Tasks\At22.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-16 20:00:01 C:\WINDOWS\Tasks\At23.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-15 21:00:01 C:\WINDOWS\Tasks\At24.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 00:00:02 C:\WINDOWS\Tasks\At3.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 01:00:01 C:\WINDOWS\Tasks\At4.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 02:00:01 C:\WINDOWS\Tasks\At5.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 03:00:01 C:\WINDOWS\Tasks\At6.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 04:00:01 C:\WINDOWS\Tasks\At7.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 05:00:01 C:\WINDOWS\Tasks\At8.job"- C:\WINDOWS\system32\Tnbp32x7.exe"2008-07-17 06:00:01 C:\WINDOWS\Tasks\At9.job"- C:\WINDOWS\system32\Tnbp32x7.exe.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2008-07-17 20:20:19Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\explorer.exe-> C:\WINDOWS\system32\nview.dll.------------------------ Other Running Processes ------------------------.C:\WINDOWS\system32\ibmpmsvc.exeC:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\acs.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Lenovo\HOTKEY\TPONSCR.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exe.**************************************************************************.Completion time: 2008-07-17 20:23:03 - machine was rebootedComboFix-quarantined-files.txt  2008-07-17 18:23:00Pre-Run: 13,187,600,384 bytes freePost-Run: 14,682,894,336 bytes free217	--- E O F ---	2008-04-13 10:41:15

  • 0

#4
bretddog

bretddog

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
just a note:
I missed the point of deleting the folder C:\Program Files\CoolSpeech\, so did that now in the end. Hope that didn't mess it up..
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Decide whether you want to keep AVG or Avast antivirus and uninstall one of them now.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\system32\Tnbp32x7.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far?
  • 0

#6
bretddog

bretddog

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Going very well thanks! I have not got any more warnings from AVG now.
Btw, is it known in what way this specific trojan usually is transferred? And am I fairly ok protected by just using AVG, or would you recommend some additional software?

Here is the log following your last instructions:

ComboFix 08-07-15.4 - Administrator 2008-07-18  2:31:13.3 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2434 [GMT 2:00]Running from: C:\Documents and Settings\Administrator\Desktop\Antivirus Tool\ComboFix.exeCommand switches used :: C:\Documents and Settings\Administrator\Desktop\Antivirus Tool\CFScript.txt * Created a new restore pointFILE ::C:\WINDOWS\system32\Tnbp32x7.exeC:\WINDOWS\Tasks\At1.jobC:\WINDOWS\Tasks\At10.jobC:\WINDOWS\Tasks\At11.jobC:\WINDOWS\Tasks\At12.jobC:\WINDOWS\Tasks\At13.jobC:\WINDOWS\Tasks\At14.jobC:\WINDOWS\Tasks\At15.jobC:\WINDOWS\Tasks\At16.jobC:\WINDOWS\Tasks\At17.jobC:\WINDOWS\Tasks\At18.jobC:\WINDOWS\Tasks\At19.jobC:\WINDOWS\Tasks\At2.jobC:\WINDOWS\Tasks\At20.jobC:\WINDOWS\Tasks\At21.jobC:\WINDOWS\Tasks\At22.jobC:\WINDOWS\Tasks\At23.jobC:\WINDOWS\Tasks\At24.jobC:\WINDOWS\Tasks\At3.jobC:\WINDOWS\Tasks\At4.jobC:\WINDOWS\Tasks\At5.jobC:\WINDOWS\Tasks\At6.jobC:\WINDOWS\Tasks\At7.jobC:\WINDOWS\Tasks\At8.jobC:\WINDOWS\Tasks\At9.job.(((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\Tasks\At1.jobC:\WINDOWS\Tasks\At10.jobC:\WINDOWS\Tasks\At11.jobC:\WINDOWS\Tasks\At12.jobC:\WINDOWS\Tasks\At13.jobC:\WINDOWS\Tasks\At14.jobC:\WINDOWS\Tasks\At15.jobC:\WINDOWS\Tasks\At16.jobC:\WINDOWS\Tasks\At17.jobC:\WINDOWS\Tasks\At18.jobC:\WINDOWS\Tasks\At19.jobC:\WINDOWS\Tasks\At2.jobC:\WINDOWS\Tasks\At20.jobC:\WINDOWS\Tasks\At21.jobC:\WINDOWS\Tasks\At22.jobC:\WINDOWS\Tasks\At23.jobC:\WINDOWS\Tasks\At24.jobC:\WINDOWS\Tasks\At3.jobC:\WINDOWS\Tasks\At4.jobC:\WINDOWS\Tasks\At5.jobC:\WINDOWS\Tasks\At6.jobC:\WINDOWS\Tasks\At7.jobC:\WINDOWS\Tasks\At8.jobC:\WINDOWS\Tasks\At9.job.(((((((((((((((((((((((((   Files Created from 2008-06-18 to 2008-07-18  ))))))))))))))))))))))))))))))).2008-07-18 02:21 . 2008-07-18 02:21	<DIR>	d--------	C:\WINDOWS\LastGood2008-07-17 21:01 . 2008-07-17 21:05	<DIR>	d--------	C:\WINDOWS\system32\drivers\Avg2008-07-17 21:01 . 2008-07-17 21:01	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR2008-07-17 21:01 . 2008-07-17 21:01	96,520	--a------	C:\WINDOWS\system32\drivers\avgldx86.sys2008-07-17 21:01 . 2008-07-17 21:01	76,040	--a------	C:\WINDOWS\system32\drivers\avgtdix.sys2008-07-17 21:01 . 2008-07-17 21:01	10,520	--a------	C:\WINDOWS\system32\avgrsstx.dll2008-07-17 21:00 . 2008-07-17 21:00	<DIR>	d--------	C:\Program Files\AVG2008-07-17 21:00 . 2008-07-17 21:00	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\avg82008-07-17 17:49 . 2008-07-17 17:49	<DIR>	d--------	C:\Program Files\Trend Micro2008-07-16 22:53 . 2008-07-16 22:53	<DIR>	d--------	C:\Program Files\Alwil Software2008-07-16 22:53 . 2003-03-18 22:20	1,060,864	--a------	C:\WINDOWS\system32\MFC71.dll2008-07-16 13:14 . 2008-07-16 13:14	<DIR>	d--------	C:\Program Files\Panda Security2008-07-16 13:14 . 2008-06-19 17:24	28,544	--a------	C:\WINDOWS\system32\drivers\pavboot.sys2008-07-16 11:44 . 2008-07-16 16:33	<DIR>	d--------	C:\Program Files\SUPERAntiSpyware2008-07-16 11:44 . 2008-07-16 11:44	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com2008-07-16 11:44 . 2008-07-16 11:44	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com2008-07-16 11:43 . 2008-07-16 11:43	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard2008-07-16 11:32 . 2008-07-17 19:29	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware2008-07-16 11:32 . 2008-07-16 11:32	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-07-16 11:32 . 2008-07-16 11:32	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Malwarebytes2008-07-16 11:32 . 2008-07-07 17:35	34,296	--a------	C:\WINDOWS\system32\drivers\mbamcatchme.sys2008-07-16 11:32 . 2008-07-07 17:35	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys2008-07-16 11:31 . 2008-07-16 11:31	<DIR>	d--------	C:\Program Files\Common Files\Download Manager2008-07-16 01:20 . 2008-07-16 01:20	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Lavasoft2008-07-16 01:19 . 2008-07-16 01:19	<DIR>	d--------	C:\Program Files\Lavasoft2008-07-14 13:12 . 2008-07-14 13:12	0	--a------	C:\WINDOWS\system32\Tnbp32x7.exe.a_a2008-07-07 17:07 . 2008-07-07 17:07	<DIR>	d--------	C:\Program Files\NinjaTrader 6.5.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-07-15 22:49	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Skype2008-07-14 17:26	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\uTorrent2008-07-09 11:15	---------	d-----w	C:\Program Files\Wisdom-soft ScreenHunter2008-06-17 14:58	98,304	----a-w	C:\WINDOWS\system32\NtDirect.dll2008-06-06 23:32	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\BSplayer PRO2008-06-06 23:29	---------	d-----w	C:\Program Files\DVD Region+CSS Free2008-06-06 23:13	---------	d-----w	C:\Program Files\Elaborate Bytes2008-06-06 23:10	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\InterVideo2008-06-06 23:09	---------	d--h--w	C:\Program Files\InstallShield Installation Information2008-06-06 23:09	---------	d-----w	C:\Program Files\InterVideo2008-06-06 23:09	---------	d-----w	C:\Documents and Settings\All Users\Application Data\InterVideo2008-05-23 22:00	---------	d-----w	C:\Program Files\Winamp2008-05-23 22:00	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Winamp.(((((((((((((((((((((((((((((   [email protected]_20.22.52.34   ))))))))))))))))))))))))))))))))))))))))).+ 1998-09-30 09:09:20	1,276,416	----a-w	C:\WINDOWS\LastGood\lhsp\tv\tv_enua.dll+ 1998-09-24 14:15:44	40,960	----a-w	C:\WINDOWS\LastGood\lhsp\tv\tvenuax.dll+ 2008-07-18 00:21:10	262,144	----a-w	C:\WINDOWS\system32\config\systemprofile\NtUser.dat- 2008-03-13 01:54:52	26,952	----a-w	C:\WINDOWS\system32\drivers\avgmfx86.sys+ 2008-07-17 19:01:03	26,824	----a-w	C:\WINDOWS\system32\drivers\avgmfx86.sys- 2008-07-16 21:27:55	85,604	----a-w	C:\WINDOWS\system32\perfc009.dat+ 2008-07-17 19:08:35	85,604	----a-w	C:\WINDOWS\system32\perfc009.dat- 2008-07-16 21:27:55	480,132	----a-w	C:\WINDOWS\system32\perfh009.dat+ 2008-07-17 19:08:35	480,132	----a-w	C:\WINDOWS\system32\perfh009.dat+ 2008-07-17 19:03:57	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_468.dat+ 2006-12-01 20:56:00	96,256	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll+ 2006-12-01 20:54:32	479,232	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll+ 2006-12-01 20:54:34	548,864	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll+ 2006-12-01 20:54:32	626,688	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll+ 2006-12-01 22:25:52	1,101,824	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll+ 2006-12-01 22:25:56	1,093,120	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll+ 2006-12-01 22:25:58	69,632	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll+ 2006-12-01 22:26:00	57,856	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll+ 2006-12-01 22:08:00	40,960	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll+ 2006-12-01 22:08:00	45,056	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll+ 2006-12-01 22:08:00	65,536	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll+ 2006-12-01 22:08:00	57,344	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll+ 2006-12-01 22:08:00	61,440	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll+ 2006-12-01 22:08:00	61,440	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll+ 2006-12-01 22:08:00	61,440	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll+ 2006-12-01 22:08:00	49,152	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll+ 2006-12-01 22:08:00	49,152	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll+ 2006-12-01 22:46:44	65,536	----a-w	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56 15360]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-07-16 16:33 1506544][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-10 23:03 8495104]"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-10 23:03 81920]"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 04:30 110592]"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 04:30 512000]"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-12-11 20:11 1044480]"PSQLLauncher"="C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" [2007-08-15 01:32 48904]"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-01-24 20:21 66928]"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-12-20 04:04 60704]"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 03:33 243248]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 20:49 36352]"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]"RegKillElbyCheck"="C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 08:33 45056]"RegKillTray"="C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-11-27 23:11 49152]"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-17 21:00 1232152]"nwiz"="nwiz.exe" [2007-12-10 23:03 1626112 C:\WINDOWS\system32\nwiz.exe]"PD0870 STISvc"="P0870Pin.dll" [2005-05-04 19:00 36864 C:\WINDOWS\system32\P0870Pin.dll]C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ScreenHunter 4.0 Free.lnk - C:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter.exe [2008-03-11 05:17:22 409600]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-26 16:58:10 576104]InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-06-07 01:08:27 86016]InterVideo WinScheduler.lnk - C:\Program Files\InterVideo\WinDVR\WinScheduler.exe [2008-06-07 01:08:27 65536]Ultrawideband Control Center.lnk - C:\Program Files\WiQuest\WiQuest WUSB\WQ_Tray.exe [2007-08-24 11:41:42 1821752][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoSMHelp"= 01000000"NoSMMyDocs"= 01000000"NoSMMyPictures"= 01000000[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-16 16:32 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-07-16 16:33 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]2007-08-15 01:54 89600 C:\WINDOWS\system32\psqlpwd.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]2006-09-07 02:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]2007-12-15 02:36 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=avgrsstx.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\javaw.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\Program Files\\Conference\\Conference.dll"="C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\Program Files\\NinjaTrader 6.5\\bin\\NinjaTrader.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-17 21:01]R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-17 21:00]R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-17 21:00]R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-17 21:01]R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-15 01:46]R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys [2002-11-27 23:46]R3 WQ_USBHWA;WiQuest Host Wire Adapter driver;C:\WINDOWS\system32\DRIVERS\WQ_hwa.sys [2007-08-24 11:35]R3 WQ_USBRCI;WiQuest UltraWideBand driver;C:\WINDOWS\system32\DRIVERS\WQ_rci.sys [2007-08-24 11:35]R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-07-04 04:46]S3 P0870Dev;Creative WebCam Live! Motion;C:\WINDOWS\system32\DRIVERS\P0870Dev.sys [2005-06-29 19:00]S3 WQ_USBLOAD;WiQuest WUSB Loader driver;C:\WINDOWS\system32\DRIVERS\WQ_ldr.sys [2007-08-24 11:35]S4 msvsmon90;Visual Studio 2008 Remote Debugger;C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 08:58]*Newly Created Service* - AVG8EMC*Newly Created Service* - AVG8WD*Newly Created Service* - AVGLDX86*Newly Created Service* - AVGMFX86*Newly Created Service* - AVGTDIX*Newly Created Service* - CATCHME.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2008-07-18 02:31:48Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-07-18  2:32:32ComboFix-quarantined-files.txt  2008-07-18 00:32:26ComboFix2.txt  2008-07-18 00:29:45ComboFix3.txt  2008-07-17 18:23:04Pre-Run: 14,680,449,024 bytes freePost-Run: 14,670,012,416 bytes free238	--- E O F ---	2008-04-13 10:41:15

  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Not really sure how it was picked up, but it can be as simple as visiting a website with malicious code.

AVG8 along with other security programs will help out (see below).

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#8
bretddog

bretddog

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Excellent, very much appreciated! please accept also my paypal-thanks!

have a great weekend!


:)
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP