Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

malware keeps regenerate after startup [RESOLVED]


  • This topic is locked This topic is locked

#16
npbfs

npbfs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Deckard System Scanner main.txt :

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-22 00:16:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:05 AM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Real Alternative\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS.0\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS.0\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk.disabled
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://203.118.43.10...sCamControl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C37D16-3959-4EC6-98C8-11C0429EBE9C}: NameServer = 202.156.1.78,202.156.1.68
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.0\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.0\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe

--
End of file - 7386 bytes

-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-22 00:08:05 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-21 20:20:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-21 20:20:02 0 d-------- C:\WINDOWS.0\system32\Kaspersky Lab
2008-07-21 13:16:33 0 d-------- C:\WINDOWS.0\system32\xircom
2008-07-21 13:16:31 0 d-------- C:\Program Files\microsoft frontpage
2008-07-21 13:11:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-21 12:53:08 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-21 12:41:34 260272 --a------ C:\cmldr
2008-07-21 12:41:10 0 d-------- C:\cmdcons
2008-07-21 01:52:48 28672 --a------ C:\WINDOWS.0\system32\Partizan.exe <Not Verified; Greatis Software; RegRun Security Suite, UnHackMe>
2008-07-21 01:50:31 2 -rahs-o-t C:\WINDOWS.0\winstart.bat
2008-07-21 00:56:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-07-18 17:06:16 0 d-------- C:\Program Files\EMCO MoveOnBoot
2008-07-17 23:37:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-17 16:39:36 68096 --a------ C:\WINDOWS.0\zip.exe
2008-07-17 16:39:36 49152 --a------ C:\WINDOWS.0\VFind.exe
2008-07-17 16:39:36 212480 --a------ C:\WINDOWS.0\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-17 16:39:36 136704 --a------ C:\WINDOWS.0\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-17 16:39:36 161792 --a------ C:\WINDOWS.0\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-17 16:39:36 98816 --a------ C:\WINDOWS.0\sed.exe
2008-07-17 16:39:36 80412 --a------ C:\WINDOWS.0\grep.exe
2008-07-17 16:39:36 89504 --a------ C:\WINDOWS.0\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-17 16:35:42 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-09 13:16:19 3002368 --a------ C:\Documents and Settings\Guest\ntuser.dat
2008-07-09 13:16:18 14942208 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2008-07-05 20:44:55 0 d-------- C:\Documents and Settings\Guest\Application Data\Malwarebytes
2008-07-03 20:14:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 20:14:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-03 02:10:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-03 02:10:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 02:10:37 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 02:09:41 0 d-------- C:\VundoFix Backups
2008-07-03 01:39:31 0 dr------- C:\Documents and Settings\Guest\Application Data\Brother
2008-07-03 01:19:50 0 d-------- C:\Program Files\Enigma Software Group
2008-07-02 16:18:06 720896 --a------ C:\Documents and Settings\LocalService\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-22 00:08:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-21 17:14:20 0 d-------- C:\Program Files\ReGetDx
2008-07-21 13:12:07 0 d-------- C:\Program Files\Common Files
2008-07-21 02:58:49 0 d-------- C:\Program Files\Trend Micro
2008-07-20 20:56:43 0 d-------- C:\Program Files\uTorrent
2008-07-19 15:50:10 78478 --a----c- C:\WINDOWS.0\War3Unin.dat
2008-07-17 20:40:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-07-16 21:54:54 0 d-------- C:\Program Files\NJStar Chinese WP
2008-07-10 11:59:37 0 d-------- C:\Program Files\Lavasoft
2008-07-08 20:43:44 0 d-------- C:\Program Files\Opera
2008-07-05 20:21:37 1024 --a----c- C:\Documents and Settings\Administrator\Application Data\WavCodec.wff
2008-07-03 19:52:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-26 21:57:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-26 23:31:01 4096 --a------ C:\WINDOWS.0\system32\crash


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS.0\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/06/2005 01:07 AM]
"IMJPMIG8.1"="C:\WINDOWS.0\IME\imjp8_1\IMJPMIG.exe" [08/29/2002 12:38 PM]
"MSPY2002"="C:\WINDOWS.0\system32\IME\PINTLGNT\ImScInst.exe" [08/29/2002 12:39 PM]
"PHIME2002ASync"="C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.exe" [08/29/2002 12:39 PM]
"PHIME2002A"="C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.exe" [08/29/2002 12:39 PM]
"TkBellExe"="C:\Program Files\Real Alternative\Update_OB\realsched.exe" [06/28/2006 10:56 PM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 10:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [03/17/2005 02:25 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [03/17/2005 02:45 PM]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [03/28/2006 03:48 PM]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [01/26/2005 06:02 PM]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [04/10/2006 02:58 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [12/31/2002 08:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [9/24/2005 9:57:18 PM]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [8/6/2005 1:07:30 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Post-itr Software Notes Lite.lnk.disabled [2/27/2007 9:45:18 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlowDownCPU]
C:\WINDOWS.0\INF\MSI\SlowDownCPU\SlowDownCPU.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe




-- End of Deckard's System Scanner: finished at 2008-07-22 00:16:25 ------------
  • 0

Advertisements


#17
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Good news.. Your log looks clean to my eyes..


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image




NEXT


Please Install/Update Sun Java

Updating Java:
  • Go to Start --> Control Panel --> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • It should have next icon next to it: Posted Image
  • Select it and click Remove. This will uninstall the previous (outdated) version of Java.
  • Then Download and install the newest version from here: Java Runtime Environment (JRE) 6 Update 7




NEXT


I noticed you already have..

Avast Antivirus as your antivirus
Malwarebytes' as your antispyware


However, I haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewall below:
After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.



Lastly, to keep your operating system up to date please visit the link below monthly

To learn more about how to protect yourself while on the internet read this excellent article by Tony Klein: So how did I get infected in the first place?

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#18
npbfs

npbfs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hi fenzodahl512,

my computer behaviour is good!! no more system slowdown or unusual .exe running. we can close this thread!!

Appreciate your help and thanks for the prompt responses.

Thank you!! :)
  • 0

#19
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP