couple a trojans that comtinue to reinstall

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

couple a trojans that comtinue to reinstall

Options

smooth_cannibal View Member Profile	Mar 29 2007, 04:50 PM Post #1
New Member Group: New Member Posts: 6 Joined: 28-March 07 Member No.: 69,149 Operating System: xp service pack 1	i am using avast for my virus removal and superantispyware for my spyware remover. both programs wil detect however once they are remvoed they will reinstall themselves avast is telling me i have the following trojans win32 small-ekd win32 small-emg win32 agent-fgi win32 agent-fie i don't know enough about trojans if those little extensins or whatever are important or not. well here's the log. R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {92ACB38D-2912-57B5-3FEA-5180013E52C2} - (no file) O3 - Toolbar: (no name) - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145144444859 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145144435234 O17 - HKLM\System\CCS\Services\Tcpip\..\{90479BB9-7E66-42A2-B52D-E12A75783061}: NameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{D22438CA-B1CB-4C3F-BF74-7A5112869587}: NameServer = 64.136.20.121 64.136.28.121 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Filter: text/html - {7147713B-F7B8-421E-9435-E9380ED7A49E} - (no file) O20 - AppInit_DLLs: O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: winysd32 - winysd32.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing) O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Microsoft Java Service (Windows Java Service) - Unknown owner - C:\WINDOWS\jusched.exe any help would be great. i had a dialer as well that isn't on here but that is because i got rid of that. i know it is part of one of those trojans but that was especially crippling my crappy dial up connection.

LDTate View Member Profile	Mar 29 2007, 04:55 PM Post #2
Forum God Group: Root Admin Posts: 40,577 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Hello and Welcome to the forum. I need to see the top part of your HijackThis log. Scan again and post the full text that it creates.

smooth_cannibal View Member Profile	Mar 29 2007, 06:44 PM Post #3
New Member Group: New Member Posts: 6 Joined: 28-March 07 Member No.: 69,149 Operating System: xp service pack 1	ok here is the whole log report. avast always stops this process but rsa1.exe will run in the background as well as svhosts3.exe so they aren't in the running process part of the log. if necessary i can make them run and do a scan that way if for any reason if the process isn't running it wouldn't pick up any reg keys or anything. Logfile of HijackThis v1.99.1 Scan saved at 6:34:41 PM, on 3/29/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\jusched.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\CTHELPER.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Alwil Software\Avast4\ashSimpl.exe C:\Program Files\Winamp\Winamp.exe C:\WINDOWS\System32\taskmgr.exe C:\Documents and Settings\Brian\Desktop\hijackthis\HijackThis.exe R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {92ACB38D-2912-57B5-3FEA-5180013E52C2} - (no file) O3 - Toolbar: (no name) - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145144444859 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145144435234 O17 - HKLM\System\CCS\Services\Tcpip\..\{90479BB9-7E66-42A2-B52D-E12A75783061}: NameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{D22438CA-B1CB-4C3F-BF74-7A5112869587}: NameServer = 64.136.28.120 64.136.20.120 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Filter: text/html - {7147713B-F7B8-421E-9435-E9380ED7A49E} - (no file) O20 - AppInit_DLLs: O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: winysd32 - winysd32.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing) O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Microsoft Java Service (Windows Java Service) - Unknown owner - C:\WINDOWS\jusched.exe

LDTate View Member Profile	Mar 29 2007, 06:56 PM Post #4
Forum God Group: Root Admin Posts: 40,577 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	I suggest you do this: Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab. Clear "Hide file extensions for known file types." Under the "Hidden files" folder, select "Show hidden files and folders." Clear "Hide protected operating system files." Click Apply, and then click OK. Please do not delete anything unless instructed to. Click Start > Run > and type in: services.msc Click OK. In the services window find Hardware Clock Driver (hwclock) Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility. 1.Click Start > Settings > Control Panel. 2.Next, open Add/Remove Programs and remove if listed: Logitech Desktop Messenger Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these: R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {92ACB38D-2912-57B5-3FEA-5180013E52C2} - (no file) O3 - Toolbar: (no name) - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - (no file) O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O20 - AppInit_DLLs: O20 - Winlogon Notify: winysd32 - winysd32.dll (file missing) O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing) Close ALL windows and browsers except HijackThis and click "Fix checked" Delete this File if listed: tcpipmon.exe Please download ATF Cleaner by Atribune. Download - ATF Cleaner» Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. (If you use FireFox or the Opera browser To keep saved passwords, click No at the prompt.) It's normal after running ATF cleaner that the PC will be slower to boot the first time or two. Reboot and "copy/paste" a new HijackThis log file into this thread. Also please describe how your computer behaves at the moment.

smooth_cannibal View Member Profile	Mar 30 2007, 06:42 AM Post #5
New Member Group: New Member Posts: 6 Joined: 28-March 07 Member No.: 69,149 Operating System: xp service pack 1	Logfile of HijackThis v1.99.1 Scan saved at 6:39:04 AM, on 3/30/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\jusched.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\CTHELPER.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\tcpipmon.exe C:\WINDOWS\System32\tcpipmon.exe C:\Documents and Settings\Brian\Desktop\hijackthis\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145144444859 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145144435234 O17 - HKLM\System\CCS\Services\Tcpip\..\{90479BB9-7E66-42A2-B52D-E12A75783061}: NameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{D22438CA-B1CB-4C3F-BF74-7A5112869587}: NameServer = 64.136.28.120 64.136.20.120 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Filter: text/html - {7147713B-F7B8-421E-9435-E9380ED7A49E} - (no file) O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Microsoft Java Service (Windows Java Service) - Unknown owner - C:\WINDOWS\jusched.exe the computer ran nicely until i signed back on to the internet. it ran as fast as it usually does for about 2 minutes and then the trojans get picked up again by the avast

LDTate View Member Profile	Mar 30 2007, 08:03 AM Post #6
Forum God Group: Root Admin Posts: 40,577 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Download ComboFix from Here or Here to your Desktop. Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall

smooth_cannibal View Member Profile	Mar 30 2007, 06:02 PM Post #7
New Member Group: New Member Posts: 6 Joined: 28-March 07 Member No.: 69,149 Operating System: xp service pack 1	here's the report from combofix "Brian" - 07-03-30 17:55:49 Service Pack 1 ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\Brian\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\bszip.dll C:\WINDOWS\system32\cmd.com C:\WINDOWS\system32\netstat.com C:\WINDOWS\system32\ping.com C:\WINDOWS\system32\regedit.com C:\WINDOWS\system32\taskkill.com C:\WINDOWS\system32\tasklist.com C:\WINDOWS\system32\tracert.com C:\Program Files\Common Files\download C:\Program Files\outlook C:\Program Files\winupdate ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\DOCUME~1 C:\qoobox\purity\DOCUME~1\Brian C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1 C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1\CROSOF~1 C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1\CROSOF~1.NET C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1\DOBE~1 C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1\from.txt C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1\MANTEC~1 C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1\PPPATC~1 C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1\SKS~1 C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1\SMBOLS~1 C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1\SSEMBL~1 C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1\STEM32~1 C:\qoobox\purity\DOCUME~1\Brian\APPLIC~1\SSEMBL~1\SSEMBL~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\APPATC~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\ASEMBL~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\CROSOF~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\DOBE~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\from.txt C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\ICROSO~1.NET C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\PPPATC~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\RACLE~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\SKS~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\SSTEM3~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\SSTEM~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\STEM32~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\YMBOLS~1 C:\qoobox\purity\DOCUME~1\Brian\MYDOCU~1\YSTEM3~1 C:\qoobox\purity\Program Files\APPATC~1 C:\qoobox\purity\Program Files\CROSOF~1.NET C:\qoobox\purity\Program Files\MBOLS~1 C:\qoobox\purity\Program Files\MCROSO~1.NET C:\qoobox\purity\Program Files\PPPATC~1 C:\qoobox\purity\Program Files\SEMBLY~1 C:\qoobox\purity\Program Files\SKS~1 C:\qoobox\purity\Program Files\SMBOLS~1 C:\qoobox\purity\Program Files\SSEMBL~1 C:\qoobox\purity\Program Files\STEM~1 C:\qoobox\purity\Program Files\YMBOLS~1 C:\qoobox\purity\Program Files\YSTEM3~1 C:\qoobox\purity\Program Files\Common Files\ASKS~1 C:\qoobox\purity\Program Files\Common Files\CROSOF~1 C:\qoobox\purity\Program Files\Common Files\CROSOF~1.NET C:\qoobox\purity\Program Files\Common Files\CROSOF~2.NET C:\qoobox\purity\Program Files\Common Files\DOBE~2 C:\qoobox\purity\Program Files\Common Files\SMANTE~1 C:\qoobox\purity\Program Files\Common Files\SSEMBL~1 C:\qoobox\purity\Program Files\Common Files\SSTEM3~1 C:\qoobox\purity\Program Files\Common Files\STEM~1 C:\qoobox\purity\Program Files\Common Files\YSTEM~1 C:\qoobox\purity\WINDOWS\DOBE~2 C:\qoobox\purity\WINDOWS\FNTS~1 C:\qoobox\purity\WINDOWS\FNTS~2 C:\qoobox\purity\WINDOWS\MCROSO~1.NET C:\qoobox\purity\WINDOWS\RACLE~1 C:\qoobox\purity\WINDOWS\SKS~1 C:\qoobox\purity\WINDOWS\SSEMBL~1 C:\qoobox\purity\WINDOWS\WNSXS~1 C:\qoobox\purity\WINDOWS\YMANTE~1 C:\qoobox\purity\WINDOWS\YSTEM3~1 C:\qoobox\purity\WINDOWS\system32\ASEMBL~1 C:\qoobox\purity\WINDOWS\system32\CROSOF~1 C:\qoobox\purity\WINDOWS\system32\CROSOF~1.NET C:\qoobox\purity\WINDOWS\system32\DOBE~1 C:\qoobox\purity\WINDOWS\system32\FNTS~1 C:\qoobox\purity\WINDOWS\system32\MBOLS~1 C:\qoobox\purity\WINDOWS\system32\MCROSO~1 C:\qoobox\purity\WINDOWS\system32\RACLE~1 C:\qoobox\purity\WINDOWS\system32\SSTEM3~1 C:\qoobox\purity\WINDOWS\system32\TSKS~1 C:\qoobox\purity\WINDOWS\system32\WNSXS~1 C:\qoobox\purity\WINDOWS\system32\YSTEM3~1 ((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-30 )))))))))))))))))))))))))))))))))) 2007-03-30 17:43 72,192 --a------ C:\rsa1.exe 2007-03-30 06:36 7,200 --a------ C:\pbmqja.exe 2007-03-30 06:19 48,128 --a------ C:\dlepsvjx.exe 2007-03-29 16:18 42,048 --a------ C:\WINDOWS\system32\msdom2.dll 2007-03-28 15:36 43,647 --a------ C:\WINDOWS\system32\svhosts3.exe 2007-03-26 18:56 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr 2007-03-26 17:43 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-03-26 17:43 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-03-26 17:43 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-03-26 17:43 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-03-25 17:09 78,340 --a------ C:\WINDOWS\system32\msdtc_32.exe 2007-03-25 17:09 12 --a------ C:\WINDOWS\system32\gtv_sd.bin 2007-03-25 16:00 84,992 -r-hs---- C:\WINDOWS\jusched.exe 2007-03-25 16:00 12,800 --a------ C:\WINDOWS\system32\user_32.dll 2007-03-19 18:38 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll 2007-03-19 18:38 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL 2007-03-19 18:38 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL 2007-03-19 18:38 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL 2007-03-19 18:38 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL 2007-03-19 18:38 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL 2007-03-19 18:38 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL 2007-03-19 18:38 <DIR> d-------- C:\Program Files\Free Audio Pack 2007-03-19 04:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2007-03-19 04:29 <DIR> d-------- C:\Program Files\AltoMP3 Gold 2007-03-19 04:01 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-03-19 04:01 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-03-19 03:59 10,240 --a------ C:\WINDOWS\CTDCRES.DLL 2007-03-18 17:45 0 --a------ C:\WINDOWS\system32\ftpupd.exe 2007-03-15 05:53 <DIR> d-------- C:\Program Files\Free WMA to MP3 Converter 2007-03-14 06:21 <DIR> d-------- C:\Program Files\BitTorrent 2007-03-09 18:03 <DIR> d-------- C:\FU4WMver13 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-30 05:53 -------- d--h----- C:\Program Files\installshield installation information 2007-03-30 05:53 -------- d-------- C:\Program Files\logitech 2007-03-27 14:13 -------- d-------- C:\Program Files\instafink 2007-03-25 18:23 -------- d-------- C:\Program Files\full tilt poker.org 2007-03-20 04:28 4184 --ahs---- C:\WINDOWS\system32\kgygaavl.sys 2007-03-19 22:02 -------- d-------- C:\Program Files\handmark 2007-02-14 12:24 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll 2007-02-13 13:10 -------- d-------- C:\Program Files\trymedia 2007-02-06 09:34 -------- d-------- C:\DOCUME~1\Brian\APPLIC~1\u3 2007-01-15 10:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RcMan.exe" "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "UpdReg"="C:\\WINDOWS\\UpdReg.EXE" "SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r" "ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\"" "Logitech Utility"="Logi_MwX.Exe" "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe" "IndexSearch"="C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe" "SetDefPrt"="C:\\Program Files\\Brother\\Brmfl03a\\BrStDvPt.exe" "CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe" "CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE" "CTXFIREG"="CTxfiReg.exe" "CTHelper"="CTHELPER.EXE" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Icatch(VI) SnapDetect.lnk" "backup"="C:\\WINDOWS\\pss\\Icatch(VI) SnapDetect.lnkCommon Startup" "location"="Common Startup" "command"="C:\\WINDOWS\\Twain_32\\CA561A\\SNAPDE~1.EXE " "item"="Icatch(VI) SnapDetect" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SmartUI.lnk" "backup"="C:\\WINDOWS\\pss\\SmartUI.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Scansoft\\PAPERP~1\\SmartUI\\SmartUI.exe " "item"="SmartUI" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^HotSync Manager.lnk] "path"="C:\\Documents and Settings\\Brian\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk" "backup"="C:\\WINDOWS\\pss\\HotSync Manager.lnkStartup" "location"="Startup" "command"="C:\\PROGRA~1\\Palm\\HOTSYNC.EXE " "item"="HotSync Manager" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="aim" "hkey"="HKCU" "command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="bittorrent" "hkey"="HKCU" "command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="daemon" "hkey"="HKLM" "command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="p2pnetworking" "hkey"="HKLM" "command"="p2pnetworking.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="pptd40nt" "hkey"="HKLM" "command"="C:\\Program Files\\Scansoft\\PaperPort\\pptd40nt.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SUPERAntiSpyware" "hkey"="HKCU" "command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SvcManager] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="svhosts3" "hkey"="HKLM" "command"="svhosts3.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcpipmon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="tcpipmon" "hkey"="HKLM" "command"="tcpipmon.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="YahooMessenger" "hkey"="HKCU" "command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Messenger"=dword:00000002 "ose"=dword:00000003 "Brother XP spl Service"=dword:00000002 "brmfrmps"=dword:00000002 "Adobe LM Service"=dword:00000003 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ****************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 07-03-30 17:58:09 Here is the hijack file Logfile of HijackThis v1.99.1 Scan saved at 6:00:15 PM, on 3/30/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\jusched.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\CTHELPER.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Brian\Desktop\hijackthis\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145144444859 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145144435234 O17 - HKLM\System\CCS\Services\Tcpip\..\{90479BB9-7E66-42A2-B52D-E12A75783061}: NameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{D22438CA-B1CB-4C3F-BF74-7A5112869587}: NameServer = 64.136.28.120 64.136.20.120 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Microsoft Java Service (Windows Java Service) - Unknown owner - C:\WINDOWS\jusched.exe

LDTate View Member Profile	Mar 30 2007, 06:55 PM Post #8
Forum God Group: Root Admin Posts: 40,577 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Download Avenger by Swandog, and unzip it to your desktop or somewhere you can find it. (Do not run it yet). http://swandog46.geekstogo.com/avenger.zip Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK. Click Format, and ensure Word Wrap is unchecked. Copy and Paste all the text inside the box below into Notepad. Now save the file as RemoveFiles.txt in a location where you can find it. QUOTE Files to delete: C:\rsa1.exe C:\pbmqja.exe C:\dlepsvjx.exe C:\WINDOWS\system32\msdom2.dll C:\WINDOWS\system32\svhosts3.exe C:\WINDOWS\system32\msdtc_32.exe C:\WINDOWS\system32\user_32.dll C:\WINDOWS\system32\gtv_sd.bin C:\WINDOWS\system32\Mscc2fr.dll C:\WINDOWS\system32\CMDLGFR.DLL C:\WINDOWS\system32\TABCTFR.DLL C:\WINDOWS\system32\inetfr.DLL C:\WINDOWS\system32\MSCMCFR.DLL C:\WINDOWS\system32\VB6FR.DLL C:\WINDOWS\system32\VB6STKIT.DLL C:\WINDOWS\system32\ftpupd.exe C:\tcpipmon.exe Folders to delete: C:\qoobox Start Avenger by double clicking on Avenger.exe. Check Load script from file: Click on the folder symbol below and to the right, and browse to RemoveFiles.txt. Double click it to enter it into Avenger. Click the green traffic light symbol. You will be asked if you want to execute the script, answer Yes. At this point you may get prompts from your protection systems, allow them please. Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately. Answer Yes, and allow your computer to re-boot. Upon re-boot a command window will briefly appear on screen (this is normal). A Notepad text file will be created C:\avenger.txt. Copy and Paste it into your next post please, along with a new HJT log.

smooth_cannibal View Member Profile	Mar 30 2007, 08:14 PM Post #9
New Member Group: New Member Posts: 6 Joined: 28-March 07 Member No.: 69,149 Operating System: xp service pack 1	avenger log Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\tlwknagy ***************** Script file located at: \??\C:\rppfayxh.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: File C:\rsa1.exe deleted successfully. File C:\pbmqja.exe not found! Deletion of file C:\pbmqja.exe failed! Could not process line: C:\pbmqja.exe Status: 0xc0000034 File C:\dlepsvjx.exe not found! Deletion of file C:\dlepsvjx.exe failed! Could not process line: C:\dlepsvjx.exe Status: 0xc0000034 File C:\WINDOWS\system32\msdom2.dll deleted successfully. File C:\WINDOWS\system32\svhosts3.exe deleted successfully. File C:\WINDOWS\system32\msdtc_32.exe deleted successfully. File C:\WINDOWS\system32\user_32.dll deleted successfully. File C:\WINDOWS\system32\gtv_sd.bin deleted successfully. File C:\WINDOWS\system32\Mscc2fr.dll deleted successfully. File C:\WINDOWS\system32\CMDLGFR.DLL deleted successfully. File C:\WINDOWS\system32\TABCTFR.DLL deleted successfully. File C:\WINDOWS\system32\inetfr.DLL deleted successfully. File C:\WINDOWS\system32\MSCMCFR.DLL deleted successfully. File C:\WINDOWS\system32\VB6FR.DLL deleted successfully. File C:\WINDOWS\system32\VB6STKIT.DLL deleted successfully. File C:\WINDOWS\system32\ftpupd.exe deleted successfully. File C:\tcpipmon.exe not found! Deletion of file C:\tcpipmon.exe failed! Could not process line: C:\tcpipmon.exe Status: 0xc0000034 Completed script processing. ***************** Finished! Terminate. hijack log Logfile of HijackThis v1.99.1 Scan saved at 8:10:46 PM, on 3/30/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\ati2sgag.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\jusched.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\CTHELPER.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\AIM\aim.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Brian\Desktop\hijackthis\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145144444859 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145144435234 O17 - HKLM\System\CCS\Services\Tcpip\..\{90479BB9-7E66-42A2-B52D-E12A75783061}: NameServer = 192.168.0.1 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Microsoft Java Service (Windows Java Service) - Unknown owner - C:\WINDOWS\jusched.exe

LDTate