Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] my computer's performance is getting worse


  • This topic is locked This topic is locked
7 replies to this topic

#1 singam316

singam316

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 24 September 2007 - 08:53 AM

Hi,

Recently, my computer is running very slow due to virus infection. i scan my computer with avast anti-virus and also installed zone-alarm firewall both of which are free-ware. I managed to removed all the viruses detected. But, it seems like the virus did some preety bad damage to my programs and my computer. Now, i am not sure how to repair my computer so that it runs smoothly again. Please help. I use my computer to learn, and to gain information. Therefore, it is really important for me that it runs smoothly.
Thank you.

singam316.


********************************************************************************
***************************
Below is the latest logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:23:34 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.c...msearch-en.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {22F86F33-9CBB-49a8-BB12-CDBE51B4C294} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\tbu6\AOL_security_toolbar.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\tbu6\AOL_security_toolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
O4 - HKLM\..\Run: [IdnSvr] C:\Program Files\OCINS\idnsvr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Access Internet Keyword - C:\Program Files\OCINS\cnrbtn.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-my\msntabres.dll.mui/229?a6f3c976680747c6b2d6faec31839a9c
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-my\msntabres.dll.mui/230?a6f3c976680747c6b2d6faec31839a9c
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Advertisements

Register to Remove


#2 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 26 September 2007 - 04:23 PM

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!

___________________________________

You haven't got all the infections from this machine yet !

It looks like you have been infected by a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.
If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Should you decide to clean this machine start by doing the following.




______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.c...msearch-en.html <http://client.jogo.c...search-en.html>
R3 - URLSearchHook: (no name) - {22F86F33-9CBB-49a8-BB12-CDBE51B4C294} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
O4 - HKLM\..\Run: [IdnSvr] C:\Program Files\OCINS\idnsvr.exe


_____________________________________________


1. Download Combo fix from one of these locations.
http://www.techsuppo...Bs/ComboFix.exe
http://download.blee...Bs/ComboFix.exe

combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply . (c:\comboFix.txt)

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

_____________________________________


___________________________________
Search for and remove
Now I want you to search for and delete the following folder and all it's contents if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Please just remove the files/folders I listed in BOLD


C:\Program Files\OCINS\idnsvr.exe

_____________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Combofix

Edited by bob4, 26 September 2007 - 04:24 PM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#3 singam316

singam316

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 27 September 2007 - 01:57 AM

Hi again.

Thanks for the reply. I have done the following:
1. HJT
I have fixed all 5 files that u asked me to check and fix. This is the latest HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 3:10:20 PM, on 9/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\ZoneLabs\UpdClient.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\tbu6\AOL_security_toolbar.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\tbu6\AOL_security_toolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-my\msntabres.dll.mui/229?a6f3c976680747c6b2d6faec31839a9c
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-my\msntabres.dll.mui/230?a6f3c976680747c6b2d6faec31839a9c
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

2.I have downloaded combo fix and run it. When combo fix was doing its installation, my avast antivirus detected a virus and i deleted it. After that, combofix continued its operations normally.
This is the information regarding the virus.

File name: c:/combofix/cfiles.dat
malware name: win32:Dadobra.EY{trj}
Malware type: trojan horse
VPS version: 000774-7,09/15/2007


And this is the combofix log.

ComboFix 07-09-21.2 - "user" 2007-09-27 14:38:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.181 [GMT 8:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\user\ravmonlog
C:\Documents and Settings\user\Desktop\New Folder\kabul express\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - 2Pacalypse Now\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - All Eyez On Me\CD 1\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - All Eyez On Me\CD 2\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - All Eyez On Me\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - Greatest Hits\CD1\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - Greatest Hits\Cd2\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - Greatest Hits\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - Live\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - Me Against The World\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - Strictly 4 My N.I.G.G.A.Z\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - The Lost Tapes\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\b4 death\2Pac - Thug Life\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\greatest ever\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Better Dayz\Book 2\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Better Dayz\CD1\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Better Dayz\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Fallen Angels\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Loyal To The Game\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - NU-Mixx Klazzics\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Only In America\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - R U Still Down (remember me)\CD 2\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - R U Still Down (remember me)\CD1\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - R U Still Down (remember me)\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Ready 2 Die\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Ressurection\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Still I Rise\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - The Heart of A Thug Ghetto Gospel\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - The Here After\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - The Rose That Grew From Concrete\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Until The End Of Time\CD 1\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Until The End Of Time\CD 2\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - Until The End Of Time\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2pac - Untouchable\Desktop_.ini
C:\Documents and Settings\user\Desktop\Tupac 23 Albums\Ressurection\2Pac - You Never Heard Ft. B.I.G\Desktop_.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CNPROV
-------\LEGACY_IDNAUX
-------\LEGACY_NWSAPAGENT
-------\cnprov
-------\idnaux
-------\NwSapAgent


((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
.

2007-09-27 14:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-23 19:01 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Windows Desktop Search
2007-09-23 18:45 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-09-23 17:50 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-14 22:21 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-09-14 22:03 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-09-14 22:03 <DIR> d-------- C:\Program Files\BitTorrent
2007-09-14 18:42 512 --a------ C:\ScanSectorLog.dat
2007-09-14 18:35 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\MailFrontier
2007-09-14 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-14 18:13 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-09-14 18:13 4,401,184 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-14 18:13 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-14 18:13 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-09-13 00:43 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-12 19:31 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-12 19:31 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-12 19:31 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-12 19:31 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-12 19:31 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-12 19:31 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-12 19:30 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-12 19:30 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-28 01:06 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-08-28 01:06 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-08-28 01:06 <DIR> d-------- C:\Program Files\AlienGUIse

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 14:43 63128 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-23 18:10 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-09-23 17:56 --------- d-------- C:\Program Files\MSN Messenger
2007-09-16 04:41 --------- d-------- C:\DOCUME~1\user\APPLIC~1\BitTorrent
2007-09-06 16:14 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-08-31 21:51 --------- d-------- C:\DOCUME~1\user\APPLIC~1\dvdcss
2007-08-18 01:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-18 01:14 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-15 03:28 --------- d-------- C:\Program Files\AOL Security Toolbar
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 01:32 --------- d-------- C:\Program Files\Realtek AC97
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-12 06:15]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-12 06:14]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"LManager"="C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE" [2004-04-06 06:46]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 11:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 09:41 C:\WINDOWS\AGRSMMSG.exe]
"WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2003-06-09 12:23]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2007-06-29 06:24]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 C:\WINDOWS\soundman.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 18:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-09-19 15:46:14]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-07-07 22:17:37]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bdfd262-55e0-11da-b5d1-000e350c6aad}]
AutoOpen\command- .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c05ebde-9fdf-11db-b882-000e350c6aad}]
Auto\command- setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-08-31 04:58:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-27 06:01:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 14:47:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-27 14:51:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-27 14:51
.
--- E O F ---


3. Search for and removal
I did as you said but was unable to find the following file.

C:\Program Files\OCINS\idnsvr.exe

Might i add that when i first scanned my computer with AVAST antivirus, i already detected OCINS and since i didn't recognize this file, i completely deleted it.



I only use this computer for my studies and do not use it for anything sensitive. Furthermore, i was never provided with the CD-ROM's required to reformat the computer. when i purchased it. Therefore, i am not sure how i should reformat this computer.
Personally, i prefer to repair this computer instead of reformatting it since i clearly see that the hackers are actually teaching me more about my computer than i could have learnt if they didn't exist. I understand the need to learn everything i can about my computer and therefore i will stick with this till its over
.

#4 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 27 September 2007 - 06:50 AM

2.I have downloaded combo fix and run it. When combo fix was doing its installation, my avast antivirus detected a virus and i deleted it. After that, combofix continued its operations normally.
This is the information regarding the virus.


That's a false positive . This program is extremley safe. Please delete the combofix you have and redownload another.
When avast flags it agian have it ignore the file. If that's not an option do this:

Right click on the Avast icon in the task bar and choose stop on access protection.
Then go ahead a run the combofix.. If avast has already deleted the file you'll have to download another.
When it's done you can turn back on stop on access protection.


1. Download Combo fix from one of these locations.
http://www.techsuppo...Bs/ComboFix.exe
http://download.blee...Bs/ComboFix.exe


Please post that log for me.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#5 singam316

singam316

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 27 September 2007 - 08:09 AM

Ok. Ignored the avast warning as you said and this is the latest log from combofix.

ComboFix 07-09-21.2 - "user" 2007-09-27 21:34:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.124 [GMT 8:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cnprov.dat

.
((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
.

2007-09-27 14:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-23 19:01 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Windows Desktop Search
2007-09-23 18:45 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-09-23 17:50 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-14 22:21 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-09-14 22:03 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-09-14 22:03 <DIR> d-------- C:\Program Files\BitTorrent
2007-09-14 18:42 512 --a------ C:\ScanSectorLog.dat
2007-09-14 18:35 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\MailFrontier
2007-09-14 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-14 18:13 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-09-14 18:13 4,485,408 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-14 18:13 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-14 18:13 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-09-13 00:43 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-12 19:31 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-12 19:31 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-12 19:31 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-12 19:31 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-12 19:31 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-12 19:31 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-12 19:30 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-12 19:30 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-28 01:06 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-08-28 01:06 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-08-28 01:06 <DIR> d-------- C:\Program Files\AlienGUIse

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 16:56 63776 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-23 18:10 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-09-23 17:56 --------- d-------- C:\Program Files\MSN Messenger
2007-09-16 04:41 --------- d-------- C:\DOCUME~1\user\APPLIC~1\BitTorrent
2007-09-06 16:14 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-08-31 21:51 --------- d-------- C:\DOCUME~1\user\APPLIC~1\dvdcss
2007-08-18 01:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-18 01:14 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-15 03:28 --------- d-------- C:\Program Files\AOL Security Toolbar
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 01:32 --------- d-------- C:\Program Files\Realtek AC97
.

((((((((((((((((((((((((((((( snapshot_2007-09-27_145008.93 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 5,726,291 2007-09-27 12:53:26 C:\WINDOWS\system32\ZoneLabs\spyware.dat
----a-w 62,060 2007-09-27 12:51:10 C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
----atw 16,384 2007-09-27 12:05:44 C:\WINDOWS\Temp\Perflib_Perfdata_220.dat
.
----a-w 5,695,975 2007-09-26 14:10:13 C:\WINDOWS\system32\ZoneLabs\spyware.dat
----a-w 58,056 2007-09-27 06:44:43 C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-12 06:15]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-12 06:14]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"LManager"="C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE" [2004-04-06 06:46]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 11:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 09:41 C:\WINDOWS\AGRSMMSG.exe]
"WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2003-06-09 12:23]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2007-06-29 06:24]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 C:\WINDOWS\soundman.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 18:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-09-19 15:46:14]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-07-07 22:17:37]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bdfd262-55e0-11da-b5d1-000e350c6aad}]
AutoOpen\command- .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c05ebde-9fdf-11db-b882-000e350c6aad}]
Auto\command- setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-08-31 04:58:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-27 13:01:05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 21:38:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-27 21:39:57
C:\ComboFix-quarantined-files.txt ... 2007-09-27 21:39
C:\ComboFix2.txt ... 2007-09-27 14:51
.
--- E O F ---

#6 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 27 September 2007 - 07:23 PM

OK everthing seems to look OK now. :thumbup:

A word on any anti virus program.
Always when an anti virus flags a file have it quarintined for a while. Not delete it permenently.
In Avasts case I think they use what they call a chest. Same difference. This way you can restore it if you have to.
At this time you can google it to be sure it's not a false positive. It happens to them all from time to time.
Drop by the forum any time to be sure.

Please let me know how things seem to be running.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#7 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 02 October 2007 - 05:09 AM

You still with me ? Is everthing running OK?
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#8 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 04 October 2007 - 05:31 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users