Sponsored By

skywatcher

Tearing My Hair Out[RESOLVED]

Recommended Posts

i keep getting avast on screen warnings (approx every5 seconds) that trojan horse found. the box says -

file name C:WINNT\system32\tpszxyd.sys (actual file name different each occurence)

malware name Win-32:Refpron-C[Trj].

Malware type: Trojan Horse

VPS versionb: 081222-0,22/12/2008

i have downloaded hijack this and run a scan and got the log as follows (the upload button below would not let me upload the log file for some reason so i have cut and pasted it here):

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:05:21, on 23/12/2008

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINNT\system32\hgcheck.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINNT\system32\internat.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE

c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\system32\cmd.exe

C:\WINNT\System32\WScript.exe

C:\WINNT\system32\cmd.exe

C:\WINNT\system32\cmd.exe

C:\WINNT\system32\cmd.exe

C:\WINNT\system32\cmd.exe

C:\WINNT\system32\cmd.exe

C:\WINNT\Down(0).exe

C:\WINNT\system32\cmd.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [hgcheck] C:\WINNT\system32\hgcheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224351519192

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: Windows Mang - Unknown owner - C:\WINNT\Windows.exe (file missing)

O23 - Service: õóÎļþ - Unknown owner - C:\WINNT\gfsse11452s.bat

--

End of file - 7754 bytes

can anyone advise what to do now as i do not want to delete all these files as some of them look important. thanks a million to anyone out there who can help.

skywatcher

Share this post


Link to post
Share on other sites

Hi,

Yes those files are important, only a couple are Malware.

Can you please uninstall Spybot Search and Destroy. It is a good program but may impede our fix.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Share this post


Link to post
Share on other sites

hi sarah,

thanks for your help. i have followed your advice and run the software suggested. do i need to do anything else? i disabled avast whilst i did this and have re-enabled it now. can i also reinstall spybot now? here is the log file........ thanks again,

malcolm

log file follows...

ComboFix 08-12-31.01 - Administrator 01/01/2009 22:24:37.1 - NTFSx86

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.711 [GMT 0:00]

Running from: c:\documents and settings\Administrator.SARAH\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\a.bat

c:\recycler\svchost.exe

c:\winnt\Delete.bat

c:\winnt\Downloaded Program Files\setup.inf

c:\winnt\system32\comsa32.sys

c:\winnt\system32\config\SAM.SAV

c:\winnt\system32\delme.bat

c:\winnt\system32\tpszxyd.sys

c:\winnt\Web\default.htt

.

((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))

.

2009-01-01 22:29 . 09-01-01 22:29 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_270.dat

2009-01-01 22:29 . 09-01-01 22:29 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_20c.dat

2009-01-01 21:52 . 03-06-19 12:05 21,552 --a--c--- c:\winnt\system32\dllcache\usbstor.sys

2009-01-01 21:48 . 09-01-01 21:48 <DIR> d-------- c:\program files\LG Electronics

2009-01-01 21:47 . 09-01-01 21:48 <DIR> d-------- c:\program files\LG PC Suite

2009-01-01 21:47 . 09-01-01 21:47 <DIR> d-------- c:\documents and settings\Administrator.SARAH\Application Data\LG Electronics

2009-01-01 21:47 . 08-01-14 17:48 1,703,936 --a------ c:\winnt\system32\gdiplus.dll

2009-01-01 21:47 . 07-11-08 16:26 1,164,728 --a------ c:\winnt\system32\NMSDVDXU.dll

2009-01-01 21:47 . 05-03-18 16:55 630,784 --a------ c:\winnt\system32\vsflex8u.ocx

2009-01-01 21:47 . 07-11-21 14:27 591,872 --a------ c:\winnt\system32\AlbumDisplay.ocx

2009-01-01 21:47 . 05-09-26 22:55 419,240 --a------ c:\winnt\system32\Vsflex7L.ocx

2009-01-01 21:47 . 00-05-22 00:00 244,416 --a------ c:\winnt\system32\Msflxgrd.ocx

2009-01-01 21:46 . 09-01-01 21:46 <DIR> d-------- c:\documents and settings\Administrator.SARAH\Application Data\InstallShield

2008-12-31 15:05 . 08-12-31 15:05 104,658 --a------ c:\winnt\system32\hgcheck.jpg

2008-12-24 13:43 . 08-12-24 13:43 88 --a------ C:\_dele.bat

2008-12-24 13:07 . 08-12-24 13:07 59,904 --a------ c:\winnt\Down(0).exe

2008-12-24 02:13 . 08-12-24 02:13 <DIR> d-------- c:\winnt\Sun

2008-12-24 01:00 . 08-12-24 01:00 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-24 00:40 . 08-12-24 00:40 <DIR> d-------- c:\program files\SpywareBlaster

2008-12-23 22:51 . 08-12-23 22:51 <DIR> d-------- c:\program files\Trend Micro

2008-12-23 12:04 . 09-01-01 22:12 <DIR> d-------- c:\documents and settings\Administrator.SARAH\Application Data\LimeWire

2008-12-23 11:59 . 08-12-23 11:58 410,984 --a------ c:\winnt\system32\deploytk.dll

2008-12-23 11:59 . 08-12-23 11:58 73,728 --a------ c:\winnt\system32\javacpl.cpl

2008-12-23 11:30 . 08-12-24 13:07 104,659 --a------ c:\winnt\system32\hgcheck.exe

2008-12-22 22:30 . 08-12-22 22:30 572,416 -r-hs---- c:\winnt\Windows Mang

2008-12-18 18:48 . 08-12-18 18:48 <DIR> d-------- c:\winnt\uninstall\Football Champions Quiz

2008-12-18 18:48 . 08-12-18 18:48 <DIR> d-------- c:\winnt\uninstall

2008-12-18 18:48 . 08-12-18 18:48 <DIR> d-------- c:\program files\Football Champions Quiz

2008-12-18 18:44 . 08-12-18 18:47 <DIR> d-------- c:\program files\Five-A-Side Football

2008-12-17 19:08 . 08-12-23 18:59 <DIR> d-------- c:\program files\Kick'n'Rush 2006

2008-12-14 18:22 . 08-12-22 01:15 309,949 --a------ c:\winnt\system32\hguest.exe

2008-12-14 18:22 . 08-12-31 15:05 227 --a------ c:\winnt\system32\hgset.ini

2008-12-14 18:22 . 08-12-31 15:26 52 --a------ c:\winnt\system32\work.ini

2008-12-13 15:49 . 08-12-13 15:49 <DIR> d-------- c:\program files\Sibelius Software

2008-12-07 00:32 . 08-12-07 00:33 100,663,296 --a------ c:\winnt\MEMORY.DMP

2008-12-02 23:43 . 08-12-02 23:43 0 --a------ c:\winnt\OpPrintServer.INI

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-01 22:08 --------- d---a-w c:\program files\Spybot - Search & Destroy

2009-01-01 22:08 --------- d---a-w c:\documents and settings\All Users.WINNT\Application Data\Spybot - Search & Destroy

2009-01-01 21:48 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-24 01:02 --------- d---a-w c:\program files\Lavasoft

2008-12-23 11:58 --------- d---a-w c:\program files\Java

2008-12-23 11:52 --------- d---a-w c:\program files\LimeWire

2008-12-16 17:46 85 ----a-w C:\ARP.BAT

2008-12-16 17:46 37 ----a-w C:\bat.bat

2008-11-24 23:24 570,396 --sh--r c:\winnt\gfsse11452s.bat

2008-11-21 18:27 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\WinZip

2008-11-12 10:28 --------- d-----w c:\program files\NOS

2008-11-12 10:28 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\NOS

2008-11-11 16:17 --------- d-----w c:\program files\Common Files\Adobe AIR

2008-11-11 16:16 --------- d---a-w c:\program files\Common Files\Adobe

2008-10-18 20:52 271 ---h--w c:\program files\desktop.ini

2008-10-18 20:52 21,952 ---h--w c:\program files\folder.htt

2008-10-18 00:09 558,142 ----a-w c:\winnt\java\Packages\646JBDNL.ZIP

2008-10-18 00:09 155,995 ----a-w c:\winnt\java\Packages\8EUJ3VB5.ZIP

2006-01-03 22:06 664,161 -c--a-w c:\program files\JuiceUserGuide.pdf

2005-03-10 23:34 84,254 -c--a-w c:\program files\belkin manual.pdf

2000-07-26 17:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys

.

c:\winnt\system32\svchost.exe ... Infected -- Win32.Qhost !!

----a-w 7,952 2000-07-26 17:00:00 c:\winnt\system32\svchost.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\winnt\System32\NVMCTRAY.DLL" [03-05-02 13:19 49152]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-05-21 14:56 68856]

"internat.exe"="internat.exe" [00-07-26 17:00 20752 c:\winnt\system32\internat.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [03-05-02 13:19 4640768]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [08-11-26 17:18 81000]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [08-10-18 18:04 30192]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [08-06-12 02:38 34672]

"hgcheck"="c:\winnt\system32\hgcheck.exe" [08-12-24 13:07 104659]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [08-12-23 11:58 136600]

"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]

"nwiz"="nwiz.exe" [03-05-02 13:19 323584 c:\winnt\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\winnt\System32\NVMCTRAY.DLL" [03-05-02 13:19 49152]

"internat.exe"="internat.exe" [00-07-26 17:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

c:\documents and settings\Administrator.SARAH\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-09-18 147456]

c:\documents and settings\All Users.WINNT\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-10 113664]

EPSON Status Monitor 3 Environment Check 2.lnk - c:\winnt\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-10-19 113152]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

Phone Connection Monitor.lnk - c:\program files\Sony Ericsson\Mobile\audevicemgr.exe [2007-03-21 753664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= mmdrv.dll

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2008-10-18 111184]

R1 cmosa;cmosa;c:\winnt\system32\drivers\cmosa.sys [2008-10-18 29344]

R2 aswFsBlk;aswFsBlk;c:\winnt\system32\DRIVERS\aswFsBlk.sys [2008-12-17 20560]

R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswMon.sys [2008-10-18 93296]

R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [2008-10-18 61712]

R3 Winacpci;Winacpci;c:\winnt\system32\DRIVERS\winacpci.sys [2008-10-18 602128]

S2 õóÎļþ;õóÎļþ;c:\winnt\gfsse11452s.bat [2008-11-24 570396]

S2 Windows Mang;Windows Mang;c:\winnt\Windows Mang [2008-12-22 572416]

S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-14 30192]

S3 scsiscan;SCSI Scanner Driver;c:\winnt\system32\DRIVERS\scsiscan.sys [2008-10-21 10576]

*Newly Created Service* - IPNAT

*Newly Created Service* - RASAUTO

*Newly Created Service* - SHAREDACCESS

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

LSP: %SystemRoot%\system32\msafd.dll

Trusted Zone: www.igindex.co.uk

Trusted Zone: www.theaa.com

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-01 22:30:25

Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Mang]

"ImagePath"="c:\winnt\Windows Mang"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\õóÎļþ]

"ImagePath"="c:\winnt\gfsse11452s.bat"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)

c:\winnt\system32\wzcdlg.dll

c:\winnt\system32\WZCSAPI.DLL

.

Completion time: 2009-01-01 22:35:24 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-01 22:35:16

Pre-Run: 29,626,302,464 bytes free

Post-Run: 29,676,556,288 bytes free

171

Share this post


Link to post
Share on other sites

Hi,

There are still some things we have to clear up :)

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Share this post


Link to post
Share on other sites

hi sarah,

thanks for this. i have run that software which found a trojan and a trojan downloader and here is the log file below. thanks again and do i need to do anything else? also i run avast and have it on all the time, should such a trojan downloader be able to get past it and can you suggest anything i can do in future to reduce the chance of this happening? thanks so much for your help which i am most grateful for.

kind regards,

malcolm

log file follows...

Malwarebytes' Anti-Malware 1.31

Database version: 1596

Windows 5.0.2195 Service Pack 4

02/01/2009 12:43:11

mbam-log-2009-01-02 (12-43-11).txt

Scan type: Quick Scan

Objects scanned: 54648

Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\Down(0).exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\hgcheck.jpg (Trojan.Downloader) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

You are still infected, there are more things to do.

Actually, to be more specific, you have a chinese rootkit. So it will take a few more posts.

We need to delete a few entries from the registry. This can be dangerous so first we need to do a backup.

Go to Start > Run

Type:

  • regedit

Click OK.

  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup

    [*]Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)

    [*]Click save and then go to File > Exit.

This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Download SWReg, and extract it.

Open Notepad and paste the following text into it. Click File then Save As, in the pull down menu, change it to All Files, and save it as fixme.bat on your Desktop.

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo /GA:F

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo /GA:F
SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANG /GA:F
SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Mang /GA:F

Open Notepad and paste the following text into it. Click File then Save As, in the pull down menu, change it to All Files, and save it as fixme2.reg on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANG]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Mang]

Locate fixme2.reg on your Desktop and double-click on it.

The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

When you have done this, run Combofix again.

If you do not understand anything please ask first.

:)

Share this post


Link to post
Share on other sites

hi sarah,

thanks for this. before i do this can you clarify if the text that you ask me to cut and paste should include the words "code" and "quote" as these look as if perhaps they should not be included in the cut and paste? also should the whole of the following be the first pasted text as it showed up as partly in a box so i thought i would check first - the text as a whole is....

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo /GA:F

CODE

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo /GA:F

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANG /GA:F

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Mang /GA:F

(also do the line spacings matter?)

thanks,

malcolm

Share this post


Link to post
Share on other sites

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo /GA:F

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANG /GA:F

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Mang /GA:F

Share this post


Link to post
Share on other sites

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANG]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Mang]

Share this post


Link to post
Share on other sites

the first on is like how it is two posts up.

The last one starts with REGEDIT4. There is a line between each entry. No blank line above REGEDIT4.

There are three lines in the first file

There are four lines in the second file with a gap between each line.

Does that make sense?

:)

Share this post


Link to post
Share on other sites

hi sarah,

for some reason your last post did not come up first of all with the others, and i cut and pasted the posted text which seems to match your comments in the last post anyway. i have run combofix again and here is the log...

ComboFix 09-01-02.01 - Administrator 04/01/2009 0:00:37.2 - NTFSx86

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.593 [GMT 0:00]

Running from: c:\documents and settings\Administrator.SARAH\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-03 16:47 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\LimeWire

2009-01-02 12:26 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-01-02 12:26 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\Malwarebytes

2009-01-02 12:26 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\Malwarebytes

2009-01-01 22:08 --------- d---a-w c:\program files\Spybot - Search & Destroy

2009-01-01 22:08 --------- d---a-w c:\documents and settings\All Users.WINNT\Application Data\Spybot - Search & Destroy

2009-01-01 21:48 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-01 21:48 --------- d-----w c:\program files\LG PC Suite

2009-01-01 21:48 --------- d-----w c:\program files\LG Electronics

2009-01-01 21:47 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\LG Electronics

2009-01-01 21:46 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\InstallShield

2008-12-24 13:43 88 ----a-w C:\_dele.bat

2008-12-24 13:07 104,659 ----a-w c:\winnt\system32\hgcheck.exe

2008-12-24 01:02 --------- d---a-w c:\program files\Lavasoft

2008-12-24 01:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-12-24 00:40 --------- d-----w c:\program files\SpywareBlaster

2008-12-23 22:51 --------- d-----w c:\program files\Trend Micro

2008-12-23 18:59 --------- d-----w c:\program files\Kick'n'Rush 2006

2008-12-23 11:58 410,984 ----a-w c:\winnt\system32\deploytk.dll

2008-12-23 11:58 --------- d---a-w c:\program files\Java

2008-12-23 11:52 --------- d---a-w c:\program files\LimeWire

2008-12-22 01:15 309,949 ----a-w c:\winnt\system32\hguest.exe

2008-12-18 18:48 --------- d-----w c:\program files\Football Champions Quiz

2008-12-18 18:47 --------- d-----w c:\program files\Five-A-Side Football

2008-12-16 17:46 85 ----a-w C:\ARP.BAT

2008-12-16 17:46 37 ----a-w C:\bat.bat

2008-12-13 15:49 --------- d-----w c:\program files\Sibelius Software

2008-12-03 19:59 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys

2008-12-03 19:59 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys

2008-11-24 23:24 570,396 --sh--r c:\winnt\gfsse11452s.bat

2008-11-21 18:27 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\WinZip

2008-11-12 10:28 --------- d-----w c:\program files\NOS

2008-11-12 10:28 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\NOS

2008-11-11 16:17 --------- d-----w c:\program files\Common Files\Adobe AIR

2008-11-11 16:16 --------- d---a-w c:\program files\Common Files\Adobe

2008-10-18 20:52 271 ---h--w c:\program files\desktop.ini

2008-10-18 20:52 21,952 ---h--w c:\program files\folder.htt

2008-10-18 00:09 558,142 ----a-w c:\winnt\java\Packages\646JBDNL.ZIP

2008-10-18 00:09 155,995 ----a-w c:\winnt\java\Packages\8EUJ3VB5.ZIP

2006-01-03 22:06 664,161 -c--a-w c:\program files\JuiceUserGuide.pdf

2005-03-10 23:34 84,254 -c--a-w c:\program files\belkin manual.pdf

2000-07-26 17:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys

.

c:\winnt\system32\svchost.exe ... Infected -- Win32.Qhost !!

----a-w 7,952 2000-07-26 17:00:00 c:\winnt\system32\svchost.exe

((((((((((((((((((((((((((((( [email protected] 2009-01-01_22.33.51.05 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-12-05 22:52:44 114,688 ----a-w c:\winnt\system32\Adobe\Director\np32dsw.dll

+ 2008-12-05 22:53:24 499,712 ----a-w c:\winnt\system32\Adobe\Shockwave 11\Control.dll

+ 2008-12-05 22:33:38 1,798,144 ----a-w c:\winnt\system32\Adobe\Shockwave 11\dirapi.dll

+ 2008-12-05 22:53:28 9,216 ----a-w c:\winnt\system32\Adobe\Shockwave 11\DynaPlayer.dll

+ 2008-12-05 22:25:10 703,488 ----a-w c:\winnt\system32\Adobe\Shockwave 11\gi.dll

+ 2008-12-05 22:25:12 1,145,896 ----a-w c:\winnt\system32\Adobe\Shockwave 11\gt.exe

+ 2008-12-05 22:25:10 52,288 ----a-w c:\winnt\system32\Adobe\Shockwave 11\gtapi.dll

+ 2008-12-05 22:29:48 892,928 ----a-w c:\winnt\system32\Adobe\Shockwave 11\iml32.dll

+ 2008-12-05 22:52:04 266,240 ----a-w c:\winnt\system32\Adobe\Shockwave 11\Plugin.dll

+ 2008-12-05 22:53:58 446,464 ----a-w c:\winnt\system32\Adobe\Shockwave 11\Proj.dll

+ 2008-12-05 23:01:06 460,216 ----a-w c:\winnt\system32\Adobe\Shockwave 11\SwHelper_1103471.exe

+ 2008-12-05 22:51:48 114,688 ----a-w c:\winnt\system32\Adobe\Shockwave 11\SwInit.exe

+ 2008-12-05 22:51:46 94,208 ----a-w c:\winnt\system32\Adobe\Shockwave 11\SwMenu.dll

+ 2008-12-05 22:25:10 58,736 ----a-w c:\winnt\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL

+ 1999-06-25 10:55:30 149,504 ----a-w c:\winnt\system32\Adobe\Shockwave 11\UNWISE.EXE

+ 2008-12-04 01:03:22 53,248 ----a-w c:\winnt\system32\Macromed\Common\SwSupport.dll

+ 2008-12-04 00:59:26 581,632 ----a-w c:\winnt\system32\Macromed\Shockwave 10\Control.dll

+ 2008-12-04 00:59:30 1,490,944 ----a-w c:\winnt\system32\Macromed\Shockwave 10\dirapiX.dll

+ 2008-12-04 00:59:26 24,576 ----a-w c:\winnt\system32\Macromed\Shockwave 10\DynaPlayer.dll

+ 2008-12-04 00:59:30 606,208 ----a-w c:\winnt\system32\Macromed\Shockwave 10\iml32X.dll

+ 2008-12-04 00:59:26 339,968 ----a-w c:\winnt\system32\Macromed\Shockwave 10\Plugin.dll

+ 2008-12-04 00:59:26 475,136 ----a-w c:\winnt\system32\Macromed\Shockwave 10\PluginPing.dll

+ 2008-12-04 00:59:26 180,224 ----a-w c:\winnt\system32\Macromed\Shockwave 10\Proj.dll

+ 2008-12-04 00:59:26 77,824 ----a-w c:\winnt\system32\Macromed\Shockwave 10\SwInit.exe

+ 2008-12-04 00:59:26 86,016 ----a-w c:\winnt\system32\Macromed\Shockwave 10\SwMenuX.dll

+ 2008-12-04 00:59:26 98,304 ----a-w c:\winnt\system32\Macromed\Shockwave 10\SwOnce.dll

+ 2009-01-02 14:17:04 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_218.dat

+ 2009-01-02 12:22:15 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_21c.dat

+ 2009-01-02 18:21:19 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_220.dat

+ 2009-01-02 12:22:08 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_27c.dat

+ 2009-01-03 23:59:57 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_c8.dat

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\winnt\System32\NVMCTRAY.DLL" [02/05/03 13:19 49152]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [21/05/07 14:56 68856]

"internat.exe"="internat.exe" [26/07/00 17:00 20752 c:\winnt\system32\internat.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [02/05/03 13:19 4640768]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [26/11/08 17:18 81000]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [18/10/08 18:04 30192]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [12/06/08 02:38 34672]

"hgcheck"="c:\winnt\system32\hgcheck.exe" [24/12/08 13:07 104659]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [23/12/08 11:58 136600]

"Synchronization Manager"="mobsync.exe" [19/06/03 11:05 111376 c:\winnt\system32\mobsync.exe]

"nwiz"="nwiz.exe" [02/05/03 13:19 323584 c:\winnt\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\winnt\System32\NVMCTRAY.DLL" [02/05/03 13:19 49152]

"internat.exe"="internat.exe" [26/07/00 17:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [19/06/03 11:05 186640]

c:\documents and settings\Administrator.SARAH\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-09-18 147456]

c:\documents and settings\All Users.WINNT\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-10 113664]

EPSON Status Monitor 3 Environment Check 2.lnk - c:\winnt\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-10-19 113152]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

Phone Connection Monitor.lnk - c:\program files\Sony Ericsson\Mobile\audevicemgr.exe [2007-03-21 753664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= mmdrv.dll

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2008-10-18 111184]

R1 cmosa;cmosa;c:\winnt\system32\drivers\cmosa.sys [2008-10-18 29344]

R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2008-10-18 61712]

R3 Winacpci;Winacpci;c:\winnt\system32\drivers\winacpci.sys [2008-10-18 602128]

R4 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2008-12-17 20560]

R4 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [2008-10-18 93296]

S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-11-14 30192]

S3 scsiscan;SCSI Scanner Driver;c:\winnt\system32\drivers\scsiscan.sys [2008-10-21 10576]

S4 õóÎļþ;õóÎļþ;c:\winnt\gfsse11452s.bat [2008-11-24 570396]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

LSP: %SystemRoot%\system32\msafd.dll

Trusted Zone: www.igindex.co.uk

Trusted Zone: www.theaa.com

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-04 00:06:39

Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\õóÎļþ]

"ImagePath"="c:\winnt\gfsse11452s.bat"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(188)

c:\winnt\system32\wzcdlg.dll

c:\winnt\system32\WZCSAPI.DLL

.

Completion time: 04/01/2009 0:08:18

ComboFix-quarantined-files.txt 2009-01-04 00:08:11

ComboFix2.txt 2009-01-01 22:35:26

Pre-Run: 29,703,688,192 bytes free

Post-Run: 29,900,308,480 bytes free

173

thanks,

malcolm

Share this post


Link to post
Share on other sites

hi sarah,

i hope that i did what you suggested which i understood as to save the two texts, one as fixme and the other as fixme2 and to then double click on fixme2 (not on fixme at all) and to then run combofix. i then posted the log from that combofix run. was that correct or did i miss something?

kind regards,

malcolm

Share this post


Link to post
Share on other sites

Hi,

I did want you to run both files (I looked and I accidentally omiited that part), but it seemed to have worked anyways.

There is more to remove. Can you please post a fresh Hijack This log.

Share this post


Link to post
Share on other sites

hi sarah,

here it is (it did this scan very quickly - about 2 seconds - is that normal?)

malcolm

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:39:12, on 04/01/2009

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINNT\system32\internat.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE

c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Alwil Software\Avast4\setup\avast.setup

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [hgcheck] C:\WINNT\system32\hgcheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224351519192

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: õóÎļþ - Unknown owner - C:\WINNT\gfsse11452s.bat

--

End of file - 7091 bytes

Share this post


Link to post
Share on other sites

Hi,

Please click Start, then Run and type msconfig then press enter.

Click on the services tab.

Tell me if you can find:

õóÎļþ

or something using this file:

C:\WINNT\gfsse11452s.bat

If you can, unselect it then click OK.

Post another Hijack This log.

Share this post


Link to post
Share on other sites

when i tried msconfig, i got an error message saying "cannot find the file etc". i also looked in the windows directory for the C:\WINNT\gfsse11452s.bat file and could not see that either. i am still getting trojan horse warnings and virus messages from avast. also and this may not be relevant but my computer runs windows 2000p and i tried to download quicktime 6 today to run on it and by mistake downloaded bittorrent. when i tried to remove it via control panel add/remove programmes facility i noticed that the dialogue box which usually lists all programmes was blank?? i am beginning to feel like i am sinking!

any help most gratefully accepted.

malcolm

Share this post


Link to post
Share on other sites

ok,

  • Open HiJackThis
  • Click on the "Open Misc Tools Section"
  • click on "delete an NT service"
  • Copy and paste this in: õóÎļþ
  • Click "ok", then reboot

Share this post


Link to post
Share on other sites

i had to run a new scan and delete the õóÎļþ file (which was the last one listed) which it did on reboot. the log from a new scan following that reboot is below... thanks, malcolm

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:02:05, on 05/01/2009

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINNT\system32\internat.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\BitDownload\BitDownload.exe

C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE

c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iesearch.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [hgcheck] C:\WINNT\system32\hgcheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [bitDownload] "C:\Program Files\BitDownload\BitDownload.exe" /minimized

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224351519192

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

--

End of file - 7009 bytes

Share this post


Link to post
Share on other sites

Did you check the item in Hijack This or Delete it using the "Delete An NT Service" option?

Share this post


Link to post
Share on other sites

hi sarah,

oops! i had deleted it by checking the box in hijack this but reading your mail i have now gone back and used the delete an nt service option for it which worked. how am i doing? thanks again.

malcolm

Share this post


Link to post
Share on other sites

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\WINNT\web

After that, Reboot.

Rescan with Hijack This again and post the log in a reply.

Share this post


Link to post
Share on other sites

hi sarah,

i have done all that and here is the log..... thanks again i really appreciate your sticking with this problem. malcolm

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:47:57, on 05/01/2009

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINNT\system32\internat.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\BitDownload\BitDownload.exe

C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE

c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe

C:\Program Files\Alwil Software\Avast4\setup\avast.setup

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iesearch.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [hgcheck] C:\WINNT\system32\hgcheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [bitDownload] "C:\Program Files\BitDownload\BitDownload.exe" /minimized

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224351519192

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

--

End of file - 6853 bytes

Share this post


Link to post
Share on other sites

hi sarah,

scan done. a few things came up as below and the scan log is below that.

whilst combofix scanning an avast warning came up saying a trojan horse had been found and saying the following

malware name - win32:Patched-IT [Trj]

file name - C:\WINNT\system32\svchost.exe

if i clicked the delete button the warning dialogue box just popped up again and again so in order ot proceed i had to click "no action" and delete on reboot.

another thing was that combofix popped up several boxes toward end of scan saying i chose not to restore original windows files do i want to keep these non original files and i said yes - was that right??

i will reboot now and rerun combofix to see if the avast trojan warning pops up again.

thanks again,

malcolm (combofix log follows)

ComboFix 09-01-05.02 - Administrator 05/01/2009 21:10:44.3 - NTFSx86

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.653 [GMT 0:00]

Running from: c:\documents and settings\Administrator.SARAH\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-05 20:58 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\LimeWire

2009-01-05 19:29 --------- d-----w c:\program files\Kick'n'Rush 2006

2009-01-04 18:35 --------- d-----w c:\program files\Wyzo

2009-01-04 01:27 --------- d---a-w c:\program files\QuickTime

2009-01-02 12:26 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-01-02 12:26 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\Malwarebytes

2009-01-02 12:26 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\Malwarebytes

2009-01-01 22:08 --------- d---a-w c:\program files\Spybot - Search & Destroy

2009-01-01 22:08 --------- d---a-w c:\documents and settings\All Users.WINNT\Application Data\Spybot - Search & Destroy

2009-01-01 21:48 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-01 21:48 --------- d-----w c:\program files\LG PC Suite

2009-01-01 21:48 --------- d-----w c:\program files\LG Electronics

2009-01-01 21:47 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\LG Electronics

2009-01-01 21:46 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\InstallShield

2008-12-24 13:43 88 ----a-w C:\_dele.bat

2008-12-24 13:07 104,659 ----a-w c:\winnt\system32\hgcheck.exe

2008-12-24 01:02 --------- d---a-w c:\program files\Lavasoft

2008-12-24 01:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-12-24 00:40 --------- d-----w c:\program files\SpywareBlaster

2008-12-23 22:51 --------- d-----w c:\program files\Trend Micro

2008-12-23 11:58 410,984 ----a-w c:\winnt\system32\deploytk.dll

2008-12-23 11:58 --------- d---a-w c:\program files\Java

2008-12-23 11:52 --------- d---a-w c:\program files\LimeWire

2008-12-22 01:15 309,949 ----a-w c:\winnt\system32\hguest.exe

2008-12-18 18:48 --------- d-----w c:\program files\Football Champions Quiz

2008-12-18 18:47 --------- d-----w c:\program files\Five-A-Side Football

2008-12-16 17:46 85 ----a-w C:\ARP.BAT

2008-12-16 17:46 37 ----a-w C:\bat.bat

2008-12-13 15:49 --------- d-----w c:\program files\Sibelius Software

2008-12-03 19:59 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys

2008-12-03 19:59 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys

2008-11-24 23:24 570,396 --sh--r c:\winnt\gfsse11452s.bat

2008-11-21 18:27 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\WinZip

2008-11-12 10:28 --------- d-----w c:\program files\NOS

2008-11-12 10:28 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\NOS

2008-11-11 16:17 --------- d-----w c:\program files\Common Files\Adobe AIR

2008-11-11 16:16 --------- d---a-w c:\program files\Common Files\Adobe

2008-10-18 20:52 271 ---h--w c:\program files\desktop.ini

2008-10-18 20:52 21,952 ---h--w c:\program files\folder.htt

2008-10-18 00:09 558,142 ----a-w c:\winnt\java\Packages\646JBDNL.ZIP

2008-10-18 00:09 155,995 ----a-w c:\winnt\java\Packages\8EUJ3VB5.ZIP

2006-01-03 22:06 664,161 -c--a-w c:\program files\JuiceUserGuide.pdf

2005-03-10 23:34 84,254 -c--a-w c:\program files\belkin manual.pdf

2000-07-26 17:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys

.

c:\winnt\system32\svchost.exe ... Infected -- Win32.Qhost !!

----a-w 7,952 2000-07-26 17:00:00 c:\winnt\system32\svchost.exe

((((((((((((((((((((((((((((( snapshot_Sun 04-01-2009_ 0.07.06.62 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-01-05 11:12:45 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_208.dat

+ 2009-01-04 16:01:25 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_20c.dat

- 2009-01-02 14:17:04 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_218.dat

+ 2009-01-04 15:35:49 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_218.dat

+ 2009-01-05 20:57:01 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_280.dat

+ 2009-01-05 21:10:03 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_3a0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\winnt\System32\NVMCTRAY.DLL" [02/05/03 13:19 49152]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [21/05/07 14:56 68856]

"internat.exe"="internat.exe" [26/07/00 17:00 20752 c:\winnt\system32\internat.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [02/05/03 13:19 4640768]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [26/11/08 17:18 81000]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [18/10/08 18:04 30192]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [12/06/08 02:38 34672]

"hgcheck"="c:\winnt\system32\hgcheck.exe" [24/12/08 13:07 104659]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [23/12/08 11:58 136600]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [04/01/09 01:27 413696]

"Synchronization Manager"="mobsync.exe" [19/06/03 11:05 111376 c:\winnt\system32\mobsync.exe]

"nwiz"="nwiz.exe" [02/05/03 13:19 323584 c:\winnt\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\winnt\System32\NVMCTRAY.DLL" [02/05/03 13:19 49152]

"internat.exe"="internat.exe" [26/07/00 17:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [19/06/03 11:05 186640]

c:\documents and settings\Administrator.SARAH\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-09-18 147456]

c:\documents and settings\All Users.WINNT\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-10 113664]

EPSON Status Monitor 3 Environment Check 2.lnk - c:\winnt\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-10-19 113152]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

Phone Connection Monitor.lnk - c:\program files\Sony Ericsson\Mobile\audevicemgr.exe [2007-03-21 753664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:"*" /L:"English" /KBD:1

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2008-10-18 111184]

R1 cmosa;cmosa;c:\winnt\system32\drivers\cmosa.sys [2008-10-18 29344]

R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2008-10-18 61712]

R3 Winacpci;Winacpci;c:\winnt\system32\drivers\winacpci.sys [2008-10-18 602128]

R4 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2008-12-17 20560]

R4 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [2008-10-18 93296]

S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-11-14 30192]

S3 scsiscan;SCSI Scanner Driver;c:\winnt\system32\drivers\scsiscan.sys [2008-10-21 10576]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

LSP: %SystemRoot%\system32\msafd.dll

Trusted Zone: www.igindex.co.uk

Trusted Zone: www.theaa.com

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-05 21:16:11

Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(188)

c:\winnt\system32\wzcdlg.dll

c:\winnt\system32\WZCSAPI.DLL

.

Completion time: 05/01/2009 21:17:54

ComboFix-quarantined-files.txt 2009-01-05 21:17:49

ComboFix2.txt 2009-01-04 00:08:20

ComboFix3.txt 2009-01-01 22:35:26

Pre-Run: 29,550,022,656 bytes free

Post-Run: 29,853,282,304 bytes free

148

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.