Multiple Viruses, please help - Free Antivirus Forum

Multiple Viruses, please help

BullGuard Antivirus Forum > Virus Removal > Removal Help > Multiple Viruses, please help

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

APaquette-117
New Member

Date Joined Jun 2008
Total Posts : 5

Posted 7-7-2008 4:35 (GMT +2)

Im using Avast and I have these 3 trojans that wont go away Win32:Trojan-gen, VBS:Malware-gen and Win32:Agent-ZQG [Trj]

This is my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 19:28:45, on 06/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\WindowsFaxViewer.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Adam\LOCALS~1\Temp\bkscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HijackThis\alternativ.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Fax Viewer] WindowsFaxViewer.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [lphc9gwj0ep6p] C:\WINDOWS\system32\lphc9gwj0ep6p.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12798

Posted 7-7-2008 7:25 (GMT +2)

Hello

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply with a new hijackthis log.

Please copy and paste your log files. DO NOT add it as an attachment

NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

APaquette-117
New Member

Date Joined Jun 2008
Total Posts : 5

Posted 7-7-2008 8:39 (GMT +2)

Ok thanks for the reply, here is the log.

ComboFix 08-07-05.1 - Adam 2008-07-06 23:35:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1524 [GMT -7:00]
Running from: C:\Documents and Settings\Adam\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\blphc9gwj0ep6p.scr
C:\WINDOWS\system32\lphc9gwj0ep6p.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\phc9gwj0ep6p.bmp

.
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-06 22:44 . 2008-07-06 22:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-06 22:08 . 2008-07-06 23:09 <DIR> d-------- C:\SDFix
2008-07-06 20:37 . 2008-07-06 20:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-06 20:18 . 2008-07-06 22:41 <DIR> d-------- C:\!KillBox
2008-07-06 20:07 . 2008-07-06 20:07 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-06 19:21 . 2008-07-06 19:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-06 19:21 . 2008-07-06 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-06 19:21 . 2008-07-06 19:21 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\SUPERAntiSpyware.com
2008-07-06 18:09 . 2008-07-06 18:11 2,824 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-06 17:51 . 2008-07-06 17:51 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-06 17:51 . 2008-07-06 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-06 17:50 . 2008-07-06 19:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-05 22:12 . 2008-07-06 04:46 39,424 -r-hs---- C:\WINDOWS\WindowsFaxViewer.exe
2008-07-03 14:19 . 2008-07-03 14:19 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-26 20:02 . 2008-06-26 20:18 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2008-06-22 19:43 . 2008-06-22 20:28 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2008-06-22 19:43 . 2008-06-22 20:28 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2008-06-22 19:43 . 2008-06-22 20:28 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2008-06-22 19:39 . 2008-06-22 19:39 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-06-22 19:39 . 2008-06-22 20:29 35,517 --a------ C:\WINDOWS\DIIUnin.dat
2008-06-22 19:39 . 2008-06-22 19:39 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-06-22 19:33 . 2008-07-05 22:55 <DIR> d-------- C:\Program Files\Diablo II
2008-06-19 17:09 . 2008-06-19 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2008-06-19 12:40 . 2008-06-19 12:40 <DIR> d-------- C:\Program Files\Microsoft Games
2008-06-14 15:42 . 2008-06-14 15:42 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-14 15:38 . 2008-06-14 15:38 <DIR> dr-h----- C:\MSOCache
2008-06-14 12:43 . 2002-01-12 16:30 3,567 --a------ C:\WINDOWS\system32\drivers\PortTalk.sys
2008-06-13 23:42 . 2008-06-13 23:42 <DIR> d-------- C:\Program Files\Common Files\BioWare
2008-06-13 23:29 . 2008-06-13 23:42 <DIR> d-------- C:\Program Files\Mass Effect
2008-06-13 17:43 . 2008-06-27 12:24 <DIR> d-------- C:\Program Files\SEGA
2008-06-10 18:28 . 2008-06-10 19:06 <DIR> d-------- C:\DUKE
2008-06-10 16:37 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 16:37 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 01:33 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-06 01:32 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-06-28 04:56 --------- d-----w C:\Program Files\Steam
2008-06-23 03:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-19 19:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 06:51 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-06 07:12 --------- d-----w C:\Program Files\LucasArts
2008-06-06 07:07 --------- d-----w C:\Program Files\D-Tools
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-11 02:55 11,700 ----a-w C:\Program Files\install.log
2008-05-11 02:55 --------- d-----w C:\Program Files\GameSpot
2008-05-08 12:14 203,008 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-01 23:35 53,248 ----a-w C:\WINDOWS\system32\CSVer.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-19 18:29 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-08 03:32 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-03-22 23:42 22,328 ----a-w C:\Documents and Settings\Adam\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"WheelMouse"="C:\Program Files\OCZ Technology\Mouse\Amoumain.exe" [2006-12-28 06:05 196608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"EnvyHFCPL"="C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe" [2007-03-15 10:52 495616]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 16:19 79224]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"Windows Fax Viewer"="WindowsFaxViewer.exe" [2008-07-06 04:46 39424 C:\WINDOWS\WindowsFaxViewer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\adamp117\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"C:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"C:\\NeverwinterNights\\NWN\\nwmain.exe"=
"C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"C:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\Steam\\steamapps\\adamp117\\counter-strike\\hl.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Steam\\steamapps\\demo484\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\demo484\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"C:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R1 VBoxDrv;VirtualBox Service;C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys [2008-02-20 20:17]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys [2008-02-20 20:17]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys [2007-03-15 08:56]
S3 PortTalk;PortTalk;C:\WINDOWS\system32\Drivers\PortTalk.sys [2002-01-12 16:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe
\Shell\directx\command - D:\DirectX9\dxsetup.exe
\Shell\setup\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1077a078-0cde-11dd-aa0e-001c106eaa0a}]
\Shell\AutoRun\command - E:\Setup.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67c5f229-165b-11dd-aa1d-001c106eaa0a}]
\Shell\AutoRun\command - E:\Install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9b82744-081d-11dd-aa07-001c106eaa0a}]
\Shell\AutoRun\command - E:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-06 03:17:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-07 06:02:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphc9gwj0ep6p - C:\WINDOWS\system32\lphc9gwj0ep6p.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 23:36:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-06 23:36:49
ComboFix-quarantined-files.txt 2008-07-07 06:36:37

Pre-Run: 157,119,410,176 bytes free
Post-Run: 157,143,629,824 bytes free

172 --- E O F --- 2008-06-19 23:52:37

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12798

Posted 7-7-2008 8:50 (GMT +2)

Please post new hijackthis log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

APaquette-117
New Member

Date Joined Jun 2008
Total Posts : 5

Posted 7-7-2008 8:59 (GMT +2)

oh sorrry, here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:57:56, on 06/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\WindowsFaxViewer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Fax Viewer] WindowsFaxViewer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5788 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12798

Posted 7-7-2008 12:44 (GMT +2)

Looks clean.

How are things running now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

APaquette-117
New Member

Date Joined Jun 2008
Total Posts : 5

Posted 7-7-2008 5:39 (GMT +2)

I turned on my computer this morning, and the viruses hit again. They changed my wallpaper to a blue screen with a message in the middle saying "Warning, Spyware detected on your conputer, Install and antivirus or spyware remover to clean you computer" This message is part of the wallpaper, its not an error message. And I also get the blue screen that says "A problem has been detected in windows and needs to be shut down to prevent damage to your computer" but windows doesn't actually restart. There are three files in the windows system32 folder that are the virus and keep reappearing if they get deleted by an antivirus or spyware. They are a screensaver file called blphc9gwj0ep6p.scr, a bmp image phc9gwj0ep6p.bmp, and an application lphc9gwj0ep6p.exe. Here is also my Avast log where the viruses are always found, not sure if this will help.

06/07/2008 17:30:37 Adam 1280 Sign of "BV:Malware-gen" has been found in "C:\a.bat" file.
06/07/2008 17:30:38 Adam 1280 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt4.tmp.vbs" file.
06/07/2008 17:30:38 Adam 1280 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt4.tmp.vbs" file.
06/07/2008 17:30:46 Adam 1280 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt7.tmp" file.
06/07/2008 17:42:14 Adam 1280 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.ttE.tmp" file.
06/07/2008 17:52:27 Adam 1280 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt1F.tmp" file.
06/07/2008 19:10:05 Adam 1328 Sign of "BV:Malware-gen" has been found in "C:\a.bat" file.
06/07/2008 19:10:25 Adam 1328 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt3.tmp.vbs" file.
06/07/2008 19:10:50 Adam 1328 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt6.tmp" file.
06/07/2008 19:11:02 Adam 1328 Sign of "Win32:Agent-ZQG [Trj]" has been found in "C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\9YA6YNE6\td_maintor.exe\[UPX]" file.
06/07/2008 19:19:36 Adam 1328 Sign of "Win32:Agent-ZQG [Trj]" has been found in "C:\DOCUME~1\Adam\LOCALS~1\Temp\td_maintor.exe\[UPX]" file.
06/07/2008 19:19:43 Adam 1328 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\J1MVY3RP\l1eem.exe" file.
06/07/2008 19:19:45 Adam 1328 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Adam\LOCALS~1\Temp\l1eem.exe" file.
06/07/2008 19:19:55 Adam 1328 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\ZEFKSM0I\syswcc32.exe" file.
06/07/2008 19:19:58 Adam 1328 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\DOCUME~1\Adam\LOCALS~1\Temp\syswcc32.exe" file.
06/07/2008 19:21:10 Adam 1328 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.ttE.tmp" file.
06/07/2008 19:21:41 Adam 1328 Sign of "Win32:Delf-KNW [Trj]" has been found in "C:\Documents and Settings\Adam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN" file.
06/07/2008 19:31:25 Adam 1328 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt14.tmp" file.
06/07/2008 20:03:55 Adam 1352 Sign of "BV:Malware-gen" has been found in "C:\a.bat" file.
06/07/2008 20:03:55 Adam 1352 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt4.tmp.vbs" file.
06/07/2008 20:03:55 Adam 1352 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt4.tmp.vbs" file.
06/07/2008 20:04:03 Adam 1352 Sign of "Win32:Delf-KNW [Trj]" has been found in "C:\Documents and Settings\Adam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN" file.
06/07/2008 20:04:18 Adam 1352 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt7.tmp" file.
06/07/2008 20:14:31 Adam 1352 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt1A.tmp" file.
06/07/2008 20:24:44 Adam 1352 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt20.tmp" file.
06/07/2008 20:35:06 Adam 1352 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt3C.tmp" file.
06/07/2008 20:45:17 Adam 1352 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt46.tmp" file.
06/07/2008 22:03:52 Adam 1380 Sign of "BV:Malware-gen" has been found in "C:\a.bat" file.
06/07/2008 22:03:52 Adam 1380 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt4.tmp.vbs" file.
06/07/2008 22:03:52 Adam 1380 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt4.tmp.vbs" file.
06/07/2008 22:04:13 Adam 1380 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt8.tmp" file.
06/07/2008 22:04:17 Adam 1380 Sign of "Win32:Delf-KNW [Trj]" has been found in "C:\Documents and Settings\Adam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN" file.
06/07/2008 23:09:58 Adam 1376 Sign of "BV:Malware-gen" has been found in "C:\a.bat" file.
06/07/2008 23:10:14 Adam 1376 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt6.tmp.vbs" file.
06/07/2008 23:10:34 Adam 1376 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt9.tmp" file.
06/07/2008 23:10:47 Adam 1376 Sign of "Win32:Agent-ZQG [Trj]" has been found in "C:\DOCUME~1\Adam\LOCALS~1\Temp\td_maintor.exe\[UPX]" file.
06/07/2008 23:10:55 Adam 1376 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\ZEFKSM0I\l1eem.exe" file.
06/07/2008 23:10:58 Adam 1376 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Adam\LOCALS~1\Temp\l1eem.exe" file.
06/07/2008 23:11:07 Adam 1376 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\J1MVY3RP\syswcc32.exe" file.
06/07/2008 23:11:10 Adam 1376 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\DOCUME~1\Adam\LOCALS~1\Temp\syswcc32.exe" file.
06/07/2008 23:20:50 Adam 1376 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.ttF.tmp" file.
06/07/2008 23:31:11 Adam 1376 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt18.tmp" file.
07/07/2008 08:23:41 Adam 1392 Sign of "BV:Malware-gen" has been found in "C:\a.bat" file.
07/07/2008 08:24:03 Adam 1392 Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt3.tmp.vbs" file.
07/07/2008 08:24:38 Adam 1392 Sign of "Win32:Agent-ZQG [Trj]" has been found in "C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\0206GSRK\td_maintor.exe\[UPX]" file.
07/07/2008 08:24:49 Adam 1392 Sign of "Win32:Agent-ZQG [Trj]" has been found in "C:\DOCUME~1\Adam\LOCALS~1\Temp\td_maintor.exe\[UPX]" file.
07/07/2008 08:24:56 Adam 1392 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\9YA6YNE6\l1eem.exe" file.
07/07/2008 08:24:59 Adam 1392 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Adam\LOCALS~1\Temp\l1eem.exe" file.
07/07/2008 08:25:04 Adam 1392 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Adam\Local Settings\Temp\.tt6.tmp" file.
07/07/2008 08:25:24 Adam 1392 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\ZEFKSM0I\syswcc32.exe" file.
07/07/2008 08:25:31 Adam 1392 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\DOCUME~1\Adam\LOCALS~1\Temp\syswcc32.exe" file.

And this is another hikack log from when I turned on my computer this morning, not sure if it helps.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:38:09, on 07/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\WindowsFaxViewer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Adam\LOCALS~1\Temp\bkscan.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Fax Viewer] WindowsFaxViewer.exe
O4 - HKLM\..\Run: [lphc9gwj0ep6p] C:\WINDOWS\system32\lphc9gwj0ep6p.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6066 bytes

Post Edited (APaquette-117) : 07-07-2008 15:40:24 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12798

Posted 7-7-2008 7:50 (GMT +2)

Ok.

Please download ATF Cleaner:

http://www.atribune.org/ccount/click.php?id=1 by Atribune.
This program is for XP and Windows 2000 only

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch (Windows XP) only.
Java Cache

Recycle Bin

NB. It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Reboot normally.

Please download Malwarebytes' Anti-Malware:

http://www.besttechie.net/tools/mbam-setup.exe

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Copy and Paste that log into your next reply, and tell how things are runing now ?.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

APaquette-117
New Member

Date Joined Jun 2008
Total Posts : 5

Posted 7-7-2008 10:59 (GMT +2)

Hey the virus hasn't come up again...yet but here is my log file that you asked for:

Malwarebytes' Anti-Malware 1.19
Database version: 930
Windows 5.1.2600 Service Pack 2

1:50:02 PM 07/07/2008
mbam-log-7-7-2008 (13-50-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 145378
Time elapsed: 34 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Loader technology (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Loader technology (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Loader technology (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Fax Viewer (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\winloadtech32.exe (Backdoor.Bot) -> Delete on reboot.

And also I ran another Hijack but changed the name of the hijack.exe in case the trojans were avoiding and not showing up in the hijack log. But here it is again:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55:18, on 07/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5874 bytes

Forum Information

Currently it is Friday, September 05, 2008 7:15 PM (GMT +2)
There are a total of 61.804 posts in 15.428 threads.
In the last 3 days there were 19 new threads and 61 reply posts. View Active Threads