Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Zheltaya_hernya


  • This topic is locked This topic is locked
3 replies to this topic

#1 nautilus_project

nautilus_project

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 19 January 2008 - 10:59 AM

Hey everyone! I hope someone here can help me out with this.

Recently I noticed a yellow bar had appeared on the top of my internet browser screen saying I might have spyware or adware with a "click here" link. When I mouse-over the link I see at the bottom "Zheltaya_hernya" in the url and do a google search with that term. Turns out its malware (surprise surprise)...and so I try to get rid of it with ad-aware, Avast, AVG Anti-spyware...but it keeps coming back. Everytime I do a lengthy scan of my system, I return to find a dozen or so pop-up windows open with various "helpful" warnings about spyware/malware which of course are all from this zheltaya_hernya malware, and not actual legit messages from my anti-spyware software.

Generally I have had good luck ridding myself of these problems in the past, but this one has me stumped. It just keeps coming back!

I have run ComboFix.exe as was suggested on the boards elsewhere and it seems to have fixed the problem now, but I remain unconvinced and will not be surprised to find the malware resurface and rear its ugly head again soon. Could someone please have a look at my ComboFix and HiJackThis logs and let me know what kind of shape I'm in?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:04 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RTDCPL.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WinAlarm\WinAlarm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Jay\My Documents\My Programs\Spyware\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinAlarm] C:\Program Files\WinAlarm\WinAlarm.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://otter1.vanaqu...sCamControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE7E0942-4218-404A-9516-296411E8A892}: NameServer = 192.168.1.254
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O21 - SSODL: aslpmqk - {CB8E88C6-5E61-4996-BF8D-FCAE2FA40C72} - C:\WINDOWS\aslpmqk.dll
O21 - SSODL: bxsnvqt - {ACB4D23F-2C79-438B-8140-403F83B4C6A3} - C:\WINDOWS\bxsnvqt.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11792 bytes


ComboFix 08-01-18.5 - Jay 2008-01-18 23:38:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1487 [GMT -8:00]
Running from: C:\Documents and Settings\Jay\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dat.txt
C:\WINDOWS\dopfwrldxw.dll
C:\WINDOWS\egodktf.dll
C:\WINDOWS\search_res.txt
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-18 23:37 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-18 23:37 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 23:35 . 2008-01-18 23:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-18 02:59 . 2008-01-18 02:59 <DIR> d-------- C:\Documents and Settings\Jay\Application Data\Grisoft
2008-01-18 02:59 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-18 02:58 . 2008-01-18 02:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-17 15:17 . 2008-01-17 08:31 229,376 --a------ C:\WINDOWS\aslpmqk.dll
2008-01-17 15:17 . 2008-01-17 08:31 81,920 --a------ C:\WINDOWS\fknxwqf.exe
2008-01-17 14:23 . 2008-01-17 14:23 <DIR> d-------- C:\Program Files\iTunes
2008-01-17 14:23 . 2008-01-17 14:23 <DIR> d-------- C:\Program Files\iPod
2008-01-17 14:23 . 2008-01-18 23:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-17 14:23 . 2008-01-17 14:23 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 14:22 . 2008-01-17 14:22 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 05:46 . 2008-01-15 05:46 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-07 01:48 . 2008-01-07 01:48 <DIR> d-------- C:\Documents and Settings\Jay\System
2008-01-07 01:48 . 2008-01-07 01:59 <DIR> d-------- C:\Documents and Settings\Jay\Application Data\SmartDraw
2008-01-07 01:43 . 2008-01-07 01:48 <DIR> d-------- C:\Program Files\SmartDraw 2008
2008-01-05 16:29 . 2008-01-05 16:29 10,022 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-05 16:17 . 2008-01-05 16:17 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-01-05 16:17 . 2008-01-05 16:17 <DIR> d-------- C:\Program Files\TechSmith
2008-01-05 16:17 . 2008-01-05 16:17 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-01-05 16:17 . 2007-08-27 10:53 107,864 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-01-05 15:42 . 2008-01-05 15:42 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-31 03:29 . 2008-01-05 16:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-31 03:00 . 2007-12-31 03:58 <DIR> d-------- C:\Program Files\Bulent's Screen Recorder 4
2007-12-31 03:00 . 2007-12-31 03:54 2,048 --a------ C:\WINDOWS\system32\Tr_sttool.dat
2007-12-31 02:34 . 2008-01-05 15:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-26 08:24 . 2007-12-26 08:24 <DIR> d-------- C:\Program Files\Common Files\VFP
2007-12-26 08:23 . 2007-12-26 08:30 <DIR> d-------- C:\Program Files\miniMRP
2007-12-26 08:23 . 1999-08-19 22:45 995,328 --a------ C:\WINDOWS\system32\gridex16.ocx
2007-12-26 08:23 . 2004-07-12 21:43 303,173 --a------ C:\WINDOWS\system32\calendarvb.ocx
2007-12-26 08:23 . 1999-08-13 21:13 278,528 --a------ C:\WINDOWS\system32\jsbbar16.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 07:37 --------- d-----w C:\Program Files\Java
2008-01-19 07:24 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-18 21:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-16 13:55 --------- d-----w C:\Program Files\Folder Lock
2008-01-05 23:28 --------- d-----w C:\Documents and Settings\Jay\Application Data\uTorrent
2007-12-29 13:01 50,504 ----a-w C:\Documents and Settings\Jay\Application Data\GDIPFONTCACHEV1.DAT
2007-12-23 21:40 --------- d-----w C:\Program Files\DivX
2007-12-20 07:13 --------- d-s---w C:\Program Files\Xfire
2007-12-20 07:13 --------- d-----w C:\Documents and Settings\Jay\Application Data\Xfire
2007-12-16 23:45 774 ----a-w C:\Program Files\af8.ini
2007-12-16 22:32 --------- d-----w C:\Program Files\skins
2007-12-16 10:04 --------- d-----w C:\Documents and Settings\Jay\Application Data\LimeWire
2007-12-15 21:28 --------- d-----w C:\Documents and Settings\Jay\Application Data\WinAlarm
2007-12-11 03:00 --------- d-----w C:\Program Files\CUES
2007-12-11 02:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-10 03:45 --------- d-----w C:\Program Files\Roleplaying City Map Generator
2007-12-09 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-30 02:20 --------- d-----w C:\Program Files\Advanced GIF Animator
2007-11-21 04:26 --------- d-----w C:\Program Files\SmartFTP Client 2.5 Setup Files
2007-11-21 04:26 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2007-10-24 01:06 585,728 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-02-05 21:32 46,808 ----a-w C:\Documents and Settings\Jenn\Application Data\GDIPFONTCACHEV1.DAT
2003-06-16 05:12 9,196 ----a-w C:\Program Files\readme.txt
2003-06-16 05:03 143,360 ----a-w C:\Program Files\af8.exe
2003-06-11 07:21 155,648 ----a-w C:\Program Files\af8msg.exe
2003-06-05 07:08 3,744 ----a-w C:\Program Files\license.txt
2007-04-18 01:24 88 --sh--r C:\WINDOWS\system32\17E6527ADE.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 12:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 12:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 08:35 68856]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 12:57 1103480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTDCPL"="RTDCPL.EXE" [2005-07-08 15:16 12298240 C:\WINDOWS\system32\RTDCPL.EXE]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 07:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 02:20 122940]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 14:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 14:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"WinAlarm"="C:\Program Files\WinAlarm\WinAlarm.exe" [2007-01-29 08:36 353280]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2007-10-14 20:30 393216]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

C:\Documents and Settings\Jay\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2006-06-06 21:25:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-04-07 01:42:52]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-09 01:12:44]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-04-08 11:06:22]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-05-06 04:02:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"aslpmqk"= {CB8E88C6-5E61-4996-BF8D-FCAE2FA40C72} - C:\WINDOWS\aslpmqk.dll [2008-01-17 08:31 229376]
"bxsnvqt"= {ACB4D23F-2C79-438B-8140-403F83B4C6A3} - C:\WINDOWS\bxsnvqt.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TELUS eCare.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TELUS eCare.lnk
backup=C:\WINDOWS\pss\TELUS eCare.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jay^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Jay\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-09-09 01:18 57344 C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 00:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 12:57 1103480 C:\Program Files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-08-12 15:16 1121792 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-16 14:15 1266936 C:\Program Files\Games\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-03-31 08:35 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

S4 Lsprsreta_;Lsprsreta_;C:\WINDOWS\system32\drivers\fdc.sys [2004-08-04 02:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-19 05:22:19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-19 16:27:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-15 02:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (NAUTILUS-Jay).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-19 16:27:20 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job"
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 08:27:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\WinRAR\rarext.dll
.
Completion time: 2008-01-19 8:37:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 16:37:03
.
2008-01-09 05:05:37 --- E O F ---

    Advertisements

Register to Remove


#2 nautilus_project

nautilus_project

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 20 January 2008 - 08:04 AM

Just an update. There was a brief ray of sunshine when the problem seemed to have been cleared up but I tried leaving the PC on for a few hours while I went out and when I came back, there were about a dozen pop-up windows open again. These tell me various cryptic things about how I might have malwale on my computer and how I can "click here" to fix it or scan it or whatever. This is not a function of any of the adware removal, anti-spyware or anti-virus programs I use, and is clearly one of this malwares ways to dupe the PC user. Of course I don't click on any of them but still the damage is done. My machine is extremely laggy, esp. on start-up and when starting IE. This time of the month I tend to have a lot of payments coming in and out of my bank account and like to monitor this online, but I'm too paranoid to log on to my account with my machine hijacked. If someone can decipher these logs I've attached it would help me out a lot!

#3 nautilus_project

nautilus_project

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 20 January 2008 - 08:37 AM

I have continued to read through other threads to try to self-fix this problem and LDTate writes in another post to use SDFix, which I have now also done.

Here is my SDFix log:


SDFix: Version 1.129

Run by Jay on Sun 01/20/2008 at 06:13 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\DOCUME~1\Jay\LOCALS~1\Temp\ac8zt2.dat - Deleted
C:\WINDOWS\aslpmqk.dll - Deleted
C:\WINDOWS\fknxwqf.exe - Deleted





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 06:24:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 3
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 3
disk error: C:\Documents and Settings\Jay\ntuser.dat, 3
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Disabled:Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 21 Feb 2003 348,160 A..H. --- "C:\msvcr71.dll"
Mon 31 Oct 2005 700,416 A..H. --- "C:\StubInstaller.exe"
Mon 5 Dec 2005 3,076,096 A..H. --- "C:\Program Files\FantasyGrounds\FantasyGrounds.exe"
Thu 18 Nov 2004 114,688 A..H. --- "C:\Program Files\FantasyGrounds\QuickHelp.dll"
Thu 5 Apr 2007 111,179 A..H. --- "C:\Program Files\FantasyGrounds\Uninstall.exe"
Thu 28 Oct 2004 69,632 A..H. --- "C:\Program Files\FantasyGrounds\UnPak.exe"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 17 Apr 2007 88 ..SHR --- "C:\WINDOWS\system32\17E6527ADE.sys"
Sat 5 Jan 2008 10,022 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 20 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 20 Jan 2008 0 A..H. --- "C:\Documents and Settings\Jay\Local Settings\Temp\BIT3F.tmp"
Sun 20 Jan 2008 0 A..H. --- "C:\Documents and Settings\Jay\Local Settings\Temp\BIT7F.tmp"
Sun 20 Jan 2008 0 A..H. --- "C:\Documents and Settings\Jay\Local Settings\Temp\BITA.tmp"
Sun 20 Jan 2008 0 A..H. --- "C:\Documents and Settings\Jay\Local Settings\Temp\BITA4.tmp"
Fri 15 Apr 2005 4,287,459 A..H. --- "C:\Program Files\FantasyGrounds\campaigns\The Wizards Amulet\The Wizards Amulet.zip"
Mon 28 Mar 2005 112,674 A..H. --- "C:\Program Files\FantasyGrounds\campaigns\The Wizards Amulet\tokens.zip"
Fri 15 Apr 2005 4,287,459 A..H. --- "C:\Program Files\FantasyGrounds\TheWizardsAmulet\The Wizards Amulet\The Wizards Amulet.zip"
Mon 28 Mar 2005 112,674 A..H. --- "C:\Program Files\FantasyGrounds\TheWizardsAmulet\The Wizards Amulet\tokens.zip"
Fri 21 Dec 2007 857 ...HR --- "C:\Documents and Settings\Jay\Application Data\SecuROM\UserData\securom_v7_01.bak"
Wed 28 Feb 2001 87,264 A..H. --- "C:\Documents and Settings\Jay\My Documents\My Programs\Passkeeper (Old)\psk3212.zip"
Sun 14 Jan 2007 5,771,126 A..H. --- "C:\Documents and Settings\Jay\My Documents\Downloaded Program Updates\Update Manager\CinePlayer Critical Update Dec 2006\cineplaye30updateto11cw-aad.exe"
Sun 4 Mar 2007 32,245,689 A..H. --- "C:\Documents and Settings\Jay\My Documents\Downloaded Program Updates\Update Manager\RecordNow Audio (Basic) 2.0.0.1\Audio2001Basic.exe"
Fri 26 Jul 2002 153,088 A..H. --- "C:\Program Files\Games\Valve\Steam\servers\SRCDS\UNWISE.EXE"

Finished!


...and my new HijackThis! log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:39 AM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RTDCPL.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WinAlarm\WinAlarm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Jay\My Documents\My Programs\Spyware\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinAlarm] C:\Program Files\WinAlarm\WinAlarm.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://otter1.vanaqu...sCamControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE7E0942-4218-404A-9516-296411E8A892}: NameServer = 192.168.1.254
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10273 bytes

#4 nautilus_project

nautilus_project

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 24 January 2008 - 07:45 AM

I guess no-one here knows how to remove this malware? :huh: Oh well, I guess I'll have to re-format, It was about due anyway. Thanks? :(

Edited by nautilus_project, 24 January 2008 - 07:46 AM.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users