Jump to content


problems with System Volume Information

Started by track2, Jul 30 2007 09:21 AM

  • You cannot reply to this topic
15 replies to this topic

#1 OFFLINE   track2

    Member

  • Members
  • PipPip
  • 17 posts

Posted 30 July 2007 - 09:21 AM

Everytime i scan my computer with my anti-spyware, when it bumps into system volume information, my avg will catch it and i can't do anything about it. also i have some folder (which i think might be it) in my d drive (my os is in c drive) but i'm not sure if it's supposed to be there. Can somebody help?

#2 OFFLINE   hazelnut

    try to stay calm

  • Moderators
  • 9,462 posts
  • Gender:Female
  • Location:Huddersfield uk

Posted 30 July 2007 - 11:10 AM

Please can you post a hijackthis log so one of the spyware mods can look at it.

Instructions can be found here

http://forum.pirifor...showtopic=10965

Copy and paste the log into this thread.
CCLEANER, RECUVA, DEFRAGGLER AND SPECCY DOCUMENTATION CAN BE FOUND HERE

http://www.piriform.com/docs

#3 OFFLINE   track2

    Member

  • Members
  • PipPip
  • 17 posts

Posted 30 July 2007 - 12:18 PM

Ohh thanks!!
Here's my hijackthis log;
and also i can't seem to open either one of my drives by double clicking on it, I had to scroll down the folder url bar or right click and explore it. There's a Windows Script Host box that says, Can not find script file "C:\uc.vbs".


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:53 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\msnsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iFinger\iFinger.exe
C:\DOCUME~1\PARAME~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by UC
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: iFinger - {1624F640-49AC-11D3-8ABD-00C04FA95EE0} - C:\PROGRA~1\iFinger\IFINGE~1.DLL
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MSN] msnsgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10857 bytes

#4 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 30 July 2007 - 07:36 PM

Hi Track2

You have a flash drive infection so hopefully the below tools will help get it cleaned up, can we get a couple of samples uploaded first so that they can be passed onto the developer of the tools.

Please download the Suspicious file Packer from Safer-Networking.org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINDOWS\msnsgr.exe
C:\uc.vbs
C:\WINDOWS\uc.vbs
D:\uc.vbs

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Please then visit the below link

http://www.bleepingcomputer.com/submit-mal....php?channel=27

In the Link to topic where this file was requested: area just type Ccleaners, Click Browse and then locate the requested-files.cab archive on your desktop then click Send File

Once it shows

Quote

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
Close that site and continue with the steps below


Run Hijack This and choose Do A System Scan then place a check next to these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by UC
O4 - HKLM\..\Run: [MSN] msnsgr.exe

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Download Flash Disinfector from here:

http://www.techsupportforum.com/sectools/s...Disinfector.exe

Save it to your system then run the Flash_Disinfector.exe file and follow the on screen prompts


Download this file - Combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Please then post back the Combofix log and a new HijackThis log and let us know if your still getting the errors when you open the drives.

Cheers

#5 OFFLINE   track2

    Member

  • Members
  • PipPip
  • 17 posts

Posted 31 July 2007 - 03:54 AM

Hi Andy!! Thanks alot for the advice!! =D I can open my drives now but the weird folders are still on my D drive, should i delete them? I can't remember how they got there... :huh: :( The name of the folders are like this;

1)5b35efcc9554e4790049bb79
2)ee39a3653d2607f0f1f068aa1369c3
3)3a2029dd22844e0565c8b8
4)c5a64c633a59f3c8ca7cb49af698

this is my combo fix log:

ComboFix 07-07-30.2 - "paramet promwong" 2007-07-31 11:28:33.1 [GMT 8:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NWSAPAGENT
-------\NwSapAgent


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))


2007-07-31 11:33 71 --a------ C:\a.bat
2007-07-31 11:27 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 11:26 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-31 00:30 26,112 -r-hs---- C:\WINDOWS\msnmsg.exe
2007-07-30 20:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-30 18:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-30 18:17 <DIR> d-------- C:\DOCUME~1\PARAME~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-30 18:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-30 16:42 <DIR> d---s---- C:\DOCUME~1\PARAME~1\UserData
2007-07-30 16:42 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-07-30 01:42 28,672 -r-hs---- C:\WINDOWS\msnsgr.exe
2007-07-30 01:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-07-30 01:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-30 01:11 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-30 01:11 <DIR> d-------- C:\Program Files\CCleaner
2007-07-28 02:20 <DIR> d-------- C:\Program Files\iPod
2007-07-28 02:15 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-28 02:14 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-28 02:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-22 02:49 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-22 02:49 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-22 02:46 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-22 02:46 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-21 15:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-21 15:42 <DIR> d-------- C:\DOCUME~1\PARAME~1\APPLIC~1\Real
2007-07-21 02:44 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-07-21 02:40 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-07-21 02:40 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-06-16 17:41 1,277 --a------ C:\WINDOWS\mozver.dat
2007-06-10 14:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-10 03:12 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-10 03:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-09 23:42 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-09 23:42 208,248 --a------ C:\WINDOWS\system32\muweb.dll
2007-06-09 04:56 <DIR> d-------- C:\My Downloads
2007-06-09 04:38 471,040 --a------ C:\WINDOWS\Shrek Screen Saver 1.scr
2007-06-09 04:38 12,288 --a------ C:\WINDOWS\impborl.dll
2007-06-09 04:38 <DIR> d-------- C:\WINDOWS\Shrek Screen Saver 1 dir
2007-06-09 04:31 3,373,888 --a------ C:\WINDOWS\Shrek_Th.scr
2007-06-09 04:31 235,072 --a------ C:\WINDOWS\uninstall Shrek_Th.exe
2007-06-09 04:05 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-09 03:47 <DIR> d-------- C:\DOCUME~1\PARAME~1\Contacts
2007-06-09 03:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-06-09 03:39 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-06-09 03:34 <DIR> d-------- C:\Program Files\MSN Messenger
2007-06-09 03:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-09 03:00 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-09 02:22 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-08 03:36 <DIR> d-------- C:\Program Files\Warcraft III
2007-06-07 17:44 <DIR> d-------- C:\Program Files\iFinger
2007-06-07 16:47 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2007-06-07 16:47 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2007-06-07 16:47 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2007-06-07 16:47 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2007-06-07 16:47 57,344 --a------ C:\WINDOWS\system32\ElkCtlPS.dll
2007-06-07 16:47 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2007-06-07 16:47 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2007-06-07 16:47 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2007-06-07 16:47 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-06-07 16:47 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2007-06-07 16:47 39,424 --a------ C:\WINDOWS\system32\VxLibRes.dll
2007-06-07 16:47 319,488 --a------ C:\WINDOWS\system32\CamCplRes.dll
2007-06-07 16:47 262,144 --a------ C:\WINDOWS\system32\ElkCtrl.exe
2007-06-07 16:47 167,936 --a------ C:\WINDOWS\system32\VxLib.dll
2007-06-07 16:47 151,552 --a------ C:\WINDOWS\system32\VLib.dll
2007-06-07 16:47 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-06-07 16:47 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-07 16:47 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2007-06-07 16:47 <DIR> d-------- C:\Program Files\Acer
2007-06-07 16:29 9,867 --a------ C:\WINDOWS\system32\drivers\HOTKEY.sys
2007-06-07 15:51 <DIR> d-------- C:\DOCUME~1\PARAME~1\APPLIC~1\AdobeUM
2007-06-06 19:17 466,944 --a------ C:\WINDOWS\system32\w29NCPA.dll
2007-06-06 19:17 2,208,512 -ra------ C:\WINDOWS\system32\drivers\w29n51.sys
2007-06-06 19:17 110,592 --a------ C:\WINDOWS\system32\w29mlres.dll
2007-06-06 19:15 528,096 -ra------ C:\WINDOWS\system32\drivers\ar5211.sys
2007-06-02 07:10 <DIR> d-------- C:\Program Files\Real
2007-06-02 07:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-06-02 07:10 <DIR> d-------- C:\Program Files\Common Files\Real


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 18:17 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-28 02:21 --------- d-------- C:\Program Files\iTunes
2007-07-21 02:37 --------- d-------- C:\Program Files\Real Alternative
2007-07-19 23:05 0 --a------ C:\WINDOWS\system32\UTSCSI.EXE
2007-06-07 16:47 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-07 16:47 --------- d-------- C:\Program Files\Common Files\Logitech
2007-06-07 16:29 --------- d-------- C:\Program Files\Launch Manager
2007-06-07 15:31 --------- d-------- C:\Program Files\Broadcom
2007-05-29 01:59 --------- d-------- C:\Program Files\Oxford
2007-05-29 01:56 --------- d-------- C:\Program Files\TEXTware
2007-05-29 01:56 --------- d-------- C:\Program Files\IDM
2007-05-29 01:51 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-29 01:51 --------- dr-h----- C:\DOCUME~1\PARAME~1\APPLIC~1\SecuROM
2007-05-28 19:14 --------- d-------- C:\DOCUME~1\PARAME~1\APPLIC~1\Ahead
2007-05-21 20:20 12187343 --------- C:\AVG7QT.DAT
2007-05-21 00:59 0 -rahs---- C:\MSDOS.SYS
2007-05-21 00:59 0 -rahs---- C:\IO.SYS
2007-05-21 00:59 0 --a------ C:\CONFIG.SYS
2007-05-21 00:59 0 --a------ C:\AUTOEXEC.BAT
2007-05-21 00:55 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-05-16 23:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-06-09 02:24]
"SkyTel"="SkyTel.EXE" [2006-07-19 09:42 C:\WINDOWS\SkyTel.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2006-01-10 18:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-19 21:52 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 01:43 C:\WINDOWS\Alcmtr.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"ACU"="C:\Program Files\Atheros\ACU.exe" [2005-01-31 08:05]
"TkBellExe"="realsched.exe" []
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 13:36]
"PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [2002-08-30 15:02]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 14:28]
"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 10:45]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2005-11-08 10:19]
"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-04-06 19:00]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-04-06 19:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"Microsoft Windows Update Service"="msnmsg.exe" [2007-07-31 00:30 C:\WINDOWS\msnmsg.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-07 04:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\paramet promwong\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
iFinger.lnk - C:\Program Files\iFinger\iFinger.exe [2007-06-07 17:44:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 s24trans;WLAN Transport;C:\WINDOWS\system32\DRIVERS\s24trans.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 HSF_DPV;HSF_DPV;C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
R3 HSFHWAZL;HSFHWAZL;C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 POWERKEY;POWERKEY;\??\C:\Program Files\Launch Manager\POWERKEY.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 tifm21;tifm21;C:\WINDOWS\system32\drivers\tifm21.sys
R3 w39n51;Intel® PRO/Wireless 3945ABG Adapter Driver;C:\WINDOWS\system32\DRIVERS\w39n51.sys
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys
S3 BTWDNDIS;Bluetooth LAN Access Server;C:\WINDOWS\system32\DRIVERS\btwdndis.sys
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{157d142c-0d0a-11dc-8ec7-00130215b461}]
Auto\command-  .exe
AutoRun\command-  .exe
Explore\command-  .exe
OPEN\command-  .exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{374969fc-141d-11dc-8ed0-00130215b461}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe uc.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{374969fd-141d-11dc-8ed0-00130215b461}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe uc.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62c61b40-0d4f-11dc-8ec8-00130215b461}]
AutoRun\command- F:\start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d4c7602-0eb1-11dc-8ec9-00130215b461}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe uc.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7233615f-119c-11dc-8ecf-00130215b461}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe uc.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b83a99f-06f4-11dc-8eb1-a0374765476e}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe uc.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f59109e4-1024-11dc-8ecb-00130215b461}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe uc.vbs


Contents of the 'Scheduled Tasks' folder
2007-07-27 18:15:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-07-31 03:18:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 11:33:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-31 11:35:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-31 11:35

--- E O F ---




AND THIS IS MY HIJACKTHIS LOG =)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:23 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\msnmsg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iFinger\iFinger.exe
C:\WINDOWS\system32\lvcomsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\DOCUME~1\PARAME~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: iFinger - {1624F640-49AC-11D3-8ABD-00C04FA95EE0} - C:\PROGRA~1\iFinger\IFINGE~1.DLL
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Windows Update Service] msnmsg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10491 bytes

#6 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 31 July 2007 - 07:20 AM

Cheers for the logs and for uploading the files,

The only file that was uploaded was the C:\WINDOWS\msnsgr.exe so the others would of already been removed from your system at some stage, the msnsgr.exe was corrupt so I couldnt test it but I can see in your latest log that its now changed its name so can we repeat the uploading steps and see if we can find out what this file is and what changes its made to your system,

Please delete the requested-files[Date/Time].cab folder from your desktop then run SFP.exe again, this time copy the following line into the Step 1: Paste Text window:

C:\a.bat
C:\WINDOWS\msnmsg.exe

then click "Continue".

This will create a new .cab file on your desktop named requested-files[Date/Time].cab, can you please upload that again on the BleepingComputer link,

Regarding these folders on D:\, its difficult to comment without knowing what created them and what is inside them so if they are not too large could you right click each one and choose Send To > Compressed (zipped) Folder, this will then make a copy of the folder in the same area with a .zip extension, if they are not too large then also upload them on BleepingComputer and I'll let you know if there is any malware files inside any of them,

Run Hijack This and choose Do A System Scan then place a check next to these entries

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Microsoft Windows Update Service] msnmsg.exe

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Then delete these below files but you will have to set Windows to show hidden and System files first to locate them all

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the files by opening the same page and pressing the Restore Defaults button then click Apply and OK.

Then delete these files

C:\a.bat
C:\WINDOWS\msnmsg.exe
C:\WINDOWS\msnsgr.exe

After you have removed the files set Windows to hide system and hidden files again as explained above by pressing the Restore defaults button.

Next open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{157d142c-0d0a-11dc-8ec7-00130215b461}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{374969fc-141d-11dc-8ed0-00130215b461}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{374969fd-141d-11dc-8ed0-00130215b461}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d4c7602-0eb1-11dc-8ec9-00130215b461}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7233615f-119c-11dc-8ecf-00130215b461}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b83a99f-06f4-11dc-8eb1-a0374765476e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f59109e4-1024-11dc-8ecb-00130215b461}]

Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg(or right click and choose Merge) and allow it to be merged into the registry which will remove the entries.

Finally run a full scan with Kaspersky
  • Please go HERE and click Kaspersky Online Scanner
  • Read and Accept the Agreement
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • If you see a Windows [dialog asking if you want to install this software, click the Install button.
  • The program will launch and then begin downloading the latest definition files,
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
  • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Please then post back the Kaspersky log and a new HijackThis, let me know if you have any problems

Cheers

Andy

#7 OFFLINE   track2

    Member

  • Members
  • PipPip
  • 17 posts

Posted 31 July 2007 - 01:22 PM

Hi Andy! I couldn't find any of the files u asked me to delete from my c drive. I've already checked the show hidden files and uncheck the hide protected operating system files option. All 3 of them are not there. I've also added the registry u gave me and when i ran the kapersky online scanner, the same thing occured when i scan with the other anti-spywares. When it comes to C:\System Volume Information, multiple AVG notices poped up and say it's a threat and I can't heal the file or move it to vault. Is it a bug or the scanner doesn't recognize it?

This is my Kapersky log file:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 31, 2007 9:09:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/07/2007
Kaspersky Anti-Virus database records: 347256
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 67723
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:05:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\paramet promwong\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\paramet promwong\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\paramet promwong\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\paramet promwong\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\paramet promwong\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\paramet promwong\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\paramet promwong\Local Settings\History\History.IE5\MSHist012007073120070801\index.dat Object is locked skipped
C:\Documents and Settings\paramet promwong\Local Settings\Temp\Perflib_Perfdata_658.dat Object is locked skipped
C:\Documents and Settings\paramet promwong\Local Settings\Temp\Perflib_Perfdata_bac.dat Object is locked skipped
C:\Documents and Settings\paramet promwong\Local Settings\Temp\Perflib_Perfdata_c5c.dat Object is locked skipped
C:\Documents and Settings\paramet promwong\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\paramet promwong\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\paramet promwong\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\paramet promwong\UserData\index.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP27\A0002228.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP27\A0002229.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP28\A0002235.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP28\A0002236.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP28\A0002246.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP28\A0002247.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP29\A0002254.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP29\A0002255.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP29\A0002264.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP29\A0002265.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP29\A0002288.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP29\A0002289.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP29\A0002305.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002372.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002373.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002399.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002400.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002439.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002440.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002595.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002596.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP37\A0003047.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP38\A0004644.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP38\A0004659.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP38\A0004660.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP39\A0004760.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP39\A0004761.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP40\A0004778.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP40\A0004779.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP45\A0005027.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP45\A0005029.vbs Object is locked skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP79\A0011988.exe Infected: IM-Worm.Win32.Agent.f skipped
C:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP81\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP27\A0002231.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP28\A0002238.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP28\A0002249.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP29\A0002257.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP29\A0002267.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP29\A0002291.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP29\A0002308.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP30\A0002315.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP30\A0002326.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002350.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002361.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002375.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002402.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002415.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002430.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002442.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP31\A0002599.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP32\A0002770.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP33\A0002783.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP34\A0002804.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP35\A0002809.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP35\A0002896.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP36\A0003037.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP37\A0003049.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP37\A0003065.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP38\A0003107.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP38\A0003177.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP38\A0004646.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP38\A0004662.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP39\A0004763.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP40\A0004781.vbs Object is locked skipped
D:\System Volume Information\_restore{103A30E5-E482-467C-A8DB-43E7C39EEC64}\RP47\A0005822.vbs Object is locked skipped

Scan process completed.


And this is my new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:18 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lvcomsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\PARAME~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: iFinger - {1624F640-49AC-11D3-8ABD-00C04FA95EE0} - C:\PROGRA~1\iFinger\IFINGE~1.DLL
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10486 bytes

I really appreciate your time and your help!! Thanks a bunch!! =)

#8 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 01 August 2007 - 03:02 PM

Hi Track2

Sorry for the delay, thanks again for uploading the files, the msnmsg.exe is a backdoor trojan which would allow the attacker to have access to your system via IRC channels, because of that you will need to change passwords for any sites you have accessed and if you have done any banking online or payed for goods you should contact the bank to explain the situation so they can monitor the account.

The random named folders on D:\ are all fine and created my Microsoft, they are leftover folders from updates so its fine to ignore them or remove them then visit Windows Updates to see if there's any updates available as these folder should really be removed automatically after the update.

For your System Volume Information folder, can you turn off System Restore to clear all the restore points then turn it back on and that should prevent AVG from showing more alerts, its probably just because AVG cannot access the files in the System Volume Information folder so its unable to delete them but just turning it off and back on will remove anything inside


Goto Start > Run > type (or copy and paste)

control sysdm.cpl,,4

press Enter

Place a check in the box Turn off System Restore

Click Apply then click Yes on the confirmation popup

When it shows its been turned off then turn it back 'On' by unticking the same checkbox & click OK (make sure its back on before closing the sysetm restore window)

Run SDFix to make sure the trojan files are not still on the system as its been updated to remove the ircbots you had on your PC plus it will also repair any other damage the backdoor trojan may have made to disable services or add restrictions etc..

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks

#9 OFFLINE   track2

    Member

  • Members
  • PipPip
  • 17 posts

Posted 02 August 2007 - 05:20 PM

Hello Andy! It's ok about the delay, I wasn't around much too
I've done what you instructed and here's my SDFix log:


SDFix: Version 1.95

Run by paramet promwong on Fri 08/03/2007 at 01:00 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\UTSCSI.EXE - Deleted
C:\WINDOWS\img4145.zip - Deleted
C:\WINDOWS\images.zip - Deleted
C:\WINDOWS\msnsgr.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\paramet promwong\Local Settings\Application Data\Microsoft\Messenger\p*@hotmail.com\Sharing Folders\k*@hotmail.com\Thumbs.db
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\paramet promwong\Desktop\palm's\mobile\malaysia\genting\SIV21.tmp
C:\Documents and Settings\paramet promwong\Desktop\palm's\mobile\malaysia\genting\SIV9.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished


and this is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:54 AM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\lvcomsx.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\DOCUME~1\PARAME~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: iFinger - {1624F640-49AC-11D3-8ABD-00C04FA95EE0} - C:\PROGRA~1\iFinger\IFINGE~1.DLL
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10872 bytes

Thanks!!

#10 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 02 August 2007 - 05:57 PM

Thanks Track2

Can you upload the SDFix backups at Bleeping Computer, its removed 3 backdoor trojan related files but the other file removed looks legit, if it is the file can easily be restored from the backups folder, the filename (UTSCSI.EXE) isnt included in SDFix so its been detected due to strings or a checksum match so I'll have to check the file to see why and get it removed from the tool.

Goto

http://www.bleepingcomputer.com/submit-mal....php?channel=27

When the page opens, in the Browse to the file you want to submit: area just copy and paste this below

C:\SDFix\backups\backups.zip

Then click Send File

Cheers

Andy

#11 OFFLINE   track2

    Member

  • Members
  • PipPip
  • 17 posts

Posted 04 August 2007 - 02:02 AM

Hiya Andy!! I've already posted the backup zip file like u asked me to. My avg is still catching some windows file as a threat, mostly in system32 folders, this time different frm before i did the changes with the system restore like u asked me to. Do i still have bugs inside my comp now?

#12 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 04 August 2007 - 06:57 AM

Hi track2

Thanks for uploading the backups, the file SDFix removed is empty which is the reason it was included, sdfix removes 0 byte .exe files from system32 as no genuine program would be 0 bytes and its quite common for infections to add dummy files which do nothing to try prevent the legit programs with the same names from working such as regedit.exe, taskkill.exe etc..

There's no point restoring that file with it being empty but you may need to reinstall the program that created it as its still running as a service on your system

O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE (file missing)

The file should of been 45568 bytes and its name is UTSCSI.EXE, I believe its for USBest PQI Card Drive (USB) from http://www.usbest.com.tw

Let us know if you have any difficulties locating the software that created that service of its no longer on your system,

The C:\SDFix folder can be removed now as it contains samples of the files it removed and 3 of those are backdoor trojans which maybe related to your AVG alerts,

Can you post any information from AVG about where its detecting these files in Windows or System32 ? does it create an alert log that you can copy and paste back on here ?

If its detecting trojans then it is likely you still have infected files so knowing what its detecting and where would be a great help,

Please run this online scan:

Run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

Thanks

#13 OFFLINE   track2

    Member

  • Members
  • PipPip
  • 17 posts

Posted 06 August 2007 - 04:25 PM

Hi Andy!
I'm so sorry for the delay, I was out of town for an emergency, I'm kinda on a 24 hours on call so i don't know when i'll be gone next. I really appreciate your help and your time =)
I've done scanning with panda scan and this is my log:


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\paramet promwong\Application Data\Mozilla\Firefox\Profiles\6etdv6ft.default\cookies.txt[ad.yieldmanager.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\paramet promwong\Desktop\Palm's comp\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\paramet promwong\Desktop\Palm's comp\Flash_Disinfector.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Installers\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\system32\nircmd.exe
My avg unfortunately doesn't have a log but i took down the stuff that it caught:

C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\drivers\etc\hosts

#14 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 06 August 2007 - 05:45 PM

Hi track2,

No problem about the delays, I understand real life comes first so just reply when you can and I'd get a email showing that you have responded

The files found by Pandascan are all fine, NirCmd is just a command line tool used by Combofix & Flash Disinfector, it could be a problem file if it was added to the system by malware but as its in a trusted program its fine to ignore, you can read more about NirCmd on their homepage here

http://www.nirsoft.n...ils/nircmd.html

Its the same for Process.exe in SDFix, its only used so the script can stop certain malware files if they are running in Safe Mode so it can then clean up without any interference. You can read more about the file on their homepage here if needed

http://www.beyondlogic.org/consulting/proc...processutil.htm

Its fine to ignore but SDFix and Combofix are updated weekly so I'd recommend removing them and then if you ever need them again anytime just download the latest versions, you can do that by deleting these files

C:\Documents and Settings\paramet promwong\Desktop\Palm's comp\ComboFix.exe
C:\Installers\SDFix.exe


The files found by AVG are all essential Windows files so I think it maybe detecting that they have changed rather than them being infected, we can check the hosts file anyway to be sure thats correct but for the others Id suggest following the steps on the AVG help forum here

http://forum.grisoft.cz/freeforum/read.php...,backpage=1,sv=

Quote

CHANGED FILE ALERTS
Posted by: BIG AL 43 - Moderator (IP Logged)
Date: June 20, 2007 11:44AM

All Users

It is normal that AVG shows that files, the MBR or Boot record to have changed. These are done during normal maintainance, when you or windows updates files or have had to correct errors on the drive. The only time that you should worry is if they also show as infected.

To get AVG to quit showing them as changed, open the AVG Test Center, click the F3 key on your keyboard and tell it to accept the changes. If it still shows something as changed after this.. delete the file named AVG7QT.DAT in the %ALLUSERSPROFILE%\Application Data\avg7\ folder and AVG will rebuild it the next time it is run.

The %ALLUSERSPROFILE% is different for each version of Windows. The following are the typical locations for XP and Win9x

XP - C:\Documents and Settings\All Users\Application Data\avg7
Win9x -C:\Windows\All Users\Application Data\avg7

Let me know if its still detecting the files after folllowing those steps

For the hosts file, please open HijackThis, click Config... in the bottom right of the scan screen (Or Misc tools if its on the main Menu page), click Open hosts file manager and this will then display the contents of the hosts file, please then click Open in Notepad and copy and paste the contents of the notepad file back on here so we can make sure the hosts file is correct.

Let us know how it goes

Andy

#15 OFFLINE   MathieuSol

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 30 November 2007 - 10:25 PM

View PostAndyManchesta, on Jul 30 2007, 07:36 PM, said:

Hi Track2

You have a flash drive infection so hopefully the below tools will help get it cleaned up...

Hey there,

I have done all the steps suggested... here are the logs for the scans! Hopefully you can help me out, I've been trying to root out this viral for awhile,

My main inquisition would be on how to root it out of External Hardrives....

I just had a blue screen problem, Now I have my things backed up on externals, and reinstalled XP...
I'm going to be running Ubuntu soon I believe, once I get these Externals cleaned up...

Here are the logs:

ComboFix 07-12-01.1 - ChocoSolista 2007-11-30 13:40:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.624 [GMT -8:00]
Running from: C:\Documents and Settings\ChocoSolista\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\inst.exe
C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
C:\Documents and Settings\Owner\Application Data\Sskuknwrd.dll
C:\lswmv.ini
C:\Program Files\Common Files\uninstall information
C:\Program Files\Common Files\WinSoftware
C:\Program Files\Common Files\WinSoftware\CrXML.dll
C:\Program Files\Common Files\WinSoftware\PCheck.dll
C:\Program Files\internet optimizer
C:\Program Files\ISTsvc
C:\Program Files\SideFind
C:\Program Files\surfsidekick 3
C:\Program Files\TBONAS
C:\WINDOWS\system32\nsvsvc
C:\WINDOWS\system32\vidctrl

.
((((((((((((((((((((((((( Files Created from 2007-11-01 to 2007-12-01 )))))))))))))))))))))))))))))))
.

2007-11-30 13:23 . 2002-08-29 01:32 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-28 20:07 . 2007-11-28 20:07 <DIR> d---s---- C:\Documents and Settings\Media Lab\UserData
2007-11-28 19:05 . 2007-11-28 19:05 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2007-11-28 19:03 . 2002-08-29 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2007-11-28 19:02 . 2002-08-29 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-11-28 19:01 . 2007-11-28 19:01 299,552 --a------ C:\WINDOWS\WMSysPrx.prx
2007-11-28 19:01 . 2007-11-28 20:06 25,065 --a------ C:\WINDOWS\system32\wmpscheme.xml
2007-11-28 19:01 . 2007-11-28 19:01 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-11-28 19:01 . 2007-11-28 19:01 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-11-28 19:01 . 2007-11-28 19:01 2,577 --a------ C:\WINDOWS\system32\CONFIG.NT
2007-11-28 19:01 . 2007-11-28 19:01 0 --a------ C:\WINDOWS\control.ini
2007-11-28 19:00 . 2007-11-28 19:01 <DIR> d--hs---- C:\Documents and Settings\All Users.WINDOWS\DRM
2007-11-28 18:59 . 2002-08-29 04:00 2,479,104 --a--c--- C:\WINDOWS\system32\dllcache\msoeres.dll
2007-11-28 18:58 . 2002-08-29 04:00 1,267,712 --a--c--- C:\WINDOWS\system32\dllcache\cimwin32.dll
2007-11-28 15:30 . 2002-08-29 04:00 3,374,640 --a--c--- C:\WINDOWS\system32\dllcache\tourP.exe
2007-11-28 15:28 . 2002-08-29 04:00 13,107,200 --a------ C:\WINDOWS\system32\oembios.bin
2007-11-28 15:27 . 2002-08-29 04:00 3,440,660 --a------ C:\WINDOWS\system32\drivers\gm.dls
2007-11-28 15:26 . 2002-08-29 04:00 2,028,032 --a--c--- C:\WINDOWS\system32\dllcache\cdosys.dll
2007-11-28 10:46 . 2002-08-28 19:40 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2007-11-28 10:46 . 2001-08-17 05:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-11-28 10:44 . 2001-08-17 05:28 150,239 --a------ C:\WINDOWS\system32\drivers\HSF_AMOS.sys
2007-11-28 10:44 . 2001-08-17 05:28 67,167 --a------ C:\WINDOWS\system32\drivers\HSF_BSC2.sys
2007-11-28 10:44 . 2001-08-17 14:36 67,072 --a------ C:\WINDOWS\system32\usbui.dll
2007-11-28 10:41 . 2007-11-28 18:59 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Documents
2007-11-28 10:41 . 2002-08-29 04:00 2,049,999 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2007-11-28 10:40 . 2007-11-28 19:04 626 --a------ C:\WINDOWS\system32\$winnt$.inf
2007-11-15 13:28 . 2007-11-28 15:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-11-15 13:28 . 2007-11-15 13:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-15 13:23 . 2007-11-15 13:23 <DIR> d-------- C:\Program Files\XP TCPIP Repair
2007-11-14 11:44 . 2002-08-29 04:00 557,128 --a--c--- C:\WINDOWS\system32\dllcache\dao360.dll
2007-11-14 11:44 . 2002-08-29 04:00 360,448 --a--c--- C:\WINDOWS\system32\dllcache\callcont.dll
2007-11-14 11:44 . 2002-08-29 04:00 249,856 --a--c--- C:\WINDOWS\system32\dllcache\mst120.dll
2007-11-14 11:44 . 2002-08-29 04:00 69,632 --a--c--- C:\WINDOWS\system32\dllcache\nmcom.dll
2007-11-12 11:04 . 2007-11-12 11:04 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-11 13:04 . 2007-11-11 13:04 <DIR> d-------- C:\Program Files\VSO
2007-11-11 13:03 . 2007-11-11 13:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Vso
2007-11-11 13:03 . 2007-11-11 13:03 47,360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-11-11 12:55 . 2007-11-11 13:03 <DIR> d-------- C:\Program Files\LG Software Innovations
2007-11-06 07:25 . 2007-11-06 07:25 <DIR> d-------- C:\Program Files\Skype
2007-11-06 07:25 . 2007-11-06 07:25 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-11-06 07:25 . 2007-11-15 13:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Skype
2007-11-05 20:23 . 2007-11-05 20:23 <DIR> d-------- C:\Program Files\eLecta Live
2007-11-05 09:40 . 2007-11-05 09:40 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 23:16 --------- d-----w C:\Program Files\lg_fwupdate
2007-11-11 20:55 --------- d-----w C:\Program Files\ffdshow
2007-11-06 22:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-11-05 23:50 --------- d-----w C:\Program Files\BitTorrent
2007-11-05 23:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-11-05 17:40 --------- d-----w C:\Program Files\MSN Messenger
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-05-11 02:20 784 ----a-w C:\Documents and Settings\Owner\Application Data\mpauth.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 04:00]


*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-01 13:50:52
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-01 13:51:38 - machine was rebooted
.
--- E O F ---

#16 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 06 December 2007 - 11:16 AM

Hi MathieuSol, Welcome to the forum,

If you still require some help could you please start a new topic and include a HijackThis log and a new Combofix log and Id be happy to help you check the system for any problems

Cheers

Andy
Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell