View Full Version : All kinds of issues
Okay. I have Avast, Spybot, Spywareblaster, and Lavasoft's Adaware SE Personal. I logged in to my admin account (I normally run in a no-access on my XP machine), and Avast alarmed up saying it found a trojan. Even after having it remove said trojan, it keeps coming up as finding new ones. I ran the other programs, and spybot found mlgll.dll, which it cannot remove, even in safe mode (avast can't even clean up the system in a pre-boot scan). Also, I ended up having spybot asking me about a bunch of registry changes. Since I hadn't asked it to change anything, I denied each one that came up. Also, while typing this, a window (for firefox, although I get IE ones, too, even though I don't even use IE) popped up advertising WinAntiVirus Pro (which I am ignoring, of course).
So...As per the sticky post, I've started my own thread and here's the hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 1:34:03 AM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\FarStone\GameDrive\GDP\GDTask.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
https://mycampus.aiu-online.com/login.aspx?ReturnUrl=%2fDefault.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [GameDrive] "C:\Program Files\FarStone\GameDrive\GDP\GDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\vltencss.dll",realset
O4 - HKLM\..\Run: [NI.UERS_9999_N91S1502] "C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S1502NetInstaller.exe" -nag
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ErrorSafeFree] C:\Program Files\ErrorSafe Free\uers.exe /scan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file
missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2007FreeInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126517376031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169750804953
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file
missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file
missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL
Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe"
"WMP54Gv4.exe (file missing)
miekiemoes
2007-06-10, 11:49
Hello,
The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap
Also, I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup (http://russelltexas.com/malware/teatimer.htm)
Then, Download ResetTeaTimer.bat (http://downloads.subratam.org/ResetTeaTimer.bat).
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Then, * Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Miekiemos: Thanks for the reply. I've followed your instructions. This post contains the ComboFix log. My next will contain the hijack this log.
ComboFix 07-06-13.3 - C:\Documents and Settings\SKUNK-A-RIFIC\Desktop\ComboFix.exe
"SKUNK-A-RIFIC" - 2007-06-13 23:44:57 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\idkerqld.dll
C:\WINDOWS\system32\igcbjord.dll
C:\WINDOWS\system32\lfetwnru.dll
C:\WINDOWS\system32\lydbxwny.dll
C:\WINDOWS\system32\mccebxxb.dll
C:\WINDOWS\system32\vkxekygr.dll
C:\WINDOWS\system32\ynwxbdyl.ini
C:\WINDOWS\system32\gjllm.bak1
C:\WINDOWS\system32\gjllm.bak2
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.bak1
C:\WINDOWS\system32\gjllm.bak2
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\mlljg.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\install.log
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((( Files Created from 2007-05-14 to 2007-06-14 )))))))))))))))))))))))))))))))
2007-06-13 23:44 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-13 23:42 <DIR> d-------- C:\Program Files\ErrorSafe Free
2007-06-08 00:46 262,144 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-07 21:38 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\uhkxefqh.exe
2007-06-07 21:38 10,752 --a------ C:\WINDOWS\system32\mbmheryf.exe
2007-05-29 22:20 <DIR> d-------- C:\WINDOWS\ShellNew
2007-05-20 18:46 <DIR> d-------- C:\DOCUME~1\SOMEON~1\Pidgin
2007-05-20 18:46 <DIR> d-------- C:\DOCUME~1\SOMEON~1\APPLIC~1\.purple
2007-05-20 18:45 <DIR> d-------- C:\DOCUME~1\SOMEON~1\GTK
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-14 03:47:14 24 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000001-00000000-00000006-00001102-00000002-80641102}.dat
2007-06-14 03:47:14 24 ----a-w C:\WINDOWS\system32\DVCState-{00000001-00000000-00000006-00001102-00000002-80641102}.dat
2007-06-10 04:48:30 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-08 19:03:52 -------- d-----w C:\DOCUME~1\SKUNK-~1\APPLIC~1\Azureus
2007-06-05 22:33:47 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-04 07:20:30 -------- d-----w C:\Program Files\Trillian
2007-06-03 02:20:19 -------- d-----w C:\DOCUME~1\SKUNK-~1\APPLIC~1\OpenOffice.org2
2007-05-30 18:10:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-12 12:15:38 -------- d-----w C:\Program Files\Microsoft Works
2007-05-05 22:38:37 -------- d-----w C:\Program Files\Microsoft SQL Server
2007-05-05 22:37:40 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-05 22:36:34 -------- d-----w C:\Program Files\Microsoft Device Emulator
2007-05-05 22:36:31 -------- d-----w C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2007-05-05 22:33:06 -------- d-----w C:\Program Files\MSBuild
2007-05-05 22:32:58 -------- d-----w C:\Program Files\HTML Help Workshop
2007-05-05 22:31:13 -------- d-----w C:\Program Files\Common Files\Merge Modules
2007-05-05 22:26:59 -------- d-----w C:\Program Files\Common Files\Business Objects
2007-05-05 22:25:39 -------- d-----w C:\Program Files\CE Remote Tools
2007-05-05 22:24:15 -------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-04-18 16:16:59 733,824 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-18 16:12:31 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-18 16:12:12 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-18 16:10:01 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-18 16:09:10 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-18 16:07:49 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-18 16:06:59 90,112 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-06 23:34:57 1,474 ----a-w C:\WINDOWS\checkip.dat
2007-04-03 20:09:56 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-03-27 07:55:31 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-18 12:13]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48]
"@"="" []
"GameDrive"="C:\Program Files\FarStone\GameDrive\GDP\GDTask.exe" [2005-08-09 11:36]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 06:12 C:\WINDOWS\soundman.exe]
"was_check"="" []
"UERScw"="C:\Program Files\ErrorSafe Free\UERScw.exe" [2006-09-21 15:33]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"ErrorSafeFree"="C:\Program Files\ErrorSafe Free\uers.exe" [2007-02-13 19:01]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjiii]
mljjiii.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^SKUNK-A-RIFIC^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=C:\Documents and Settings\SKUNK-A-RIFIC\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 1.1.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66b28bc1-d6a7-11d9-85fb-806d6172696f}]
AutoRun\command- D:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{994a53d4-eaaf-11da-b444-00e04cebbac3}]
AutoRun\command- E:\autorun.exe
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 23:48:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-13 23:49:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-13 23:49
--- E O F ---
New HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:59:13 PM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\FarStone\GameDrive\GDP\GDTask.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mycampus.aiu-online.com/login.aspx?ReturnUrl=%2fDefault.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [GameDrive] "C:\Program Files\FarStone\GameDrive\GDP\GDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2007FreeInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126517376031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169750804953
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: mljjiii - mljjiii.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
miekiemoes
2007-06-14, 08:24
Hello,
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\DOCUME~1\ALLUSE~1\APPLIC~1\uhkxefqh.exe
C:\WINDOWS\system32\mbmheryf.exe
Folder::
C:\Program Files\ErrorSafe Free
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"was_check"=-
"UERScw"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ErrorSafeFree"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjiii]
Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
ComboFix 07-06-13.3 - C:\Documents and Settings\SKUNK-A-RIFIC\Desktop\ComboFix.exe
"SKUNK-A-RIFIC" - 2007-06-14 19:38:37 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\SKUNK-A-RIFIC\Desktop\ComboFix-Do.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\APPLIC~1\uhkxefqh.exe
C:\WINDOWS\system32\mbmheryf.exe
((((((((((((((((((((((((( Files Created from 2007-05-14 to 2007-06-14 )))))))))))))))))))))))))))))))
2007-06-14 13:39 66,688 --a------ C:\WINDOWS\fgdscsi_2kxp.sys
2007-06-14 13:39 <DIR> d-------- C:\WINDOWS\system32\FSLUEX
2007-06-14 13:35 3,106 --a------ C:\WINDOWS\system32\FSDataSvr.sys
2007-06-13 23:44 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 00:46 262,144 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-29 22:20 <DIR> d-------- C:\WINDOWS\ShellNew
2007-05-20 18:46 <DIR> d-------- C:\DOCUME~1\SOMEON~1\Pidgin
2007-05-20 18:46 <DIR> d-------- C:\DOCUME~1\SOMEON~1\APPLIC~1\.purple
2007-05-20 18:45 <DIR> d-------- C:\DOCUME~1\SOMEON~1\GTK
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-14 17:41:19 65,536 ----a-w C:\WINDOWS\system32\GDPersns.dat
2007-06-14 17:39:56 24 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000001-00000000-00000006-00001102-00000002-80641102}.dat
2007-06-14 17:39:56 24 ----a-w C:\WINDOWS\system32\DVCState-{00000001-00000000-00000006-00001102-00000002-80641102}.dat
2007-06-14 17:39:03 66,688 ----a-w C:\WINDOWS\system32\drivers\fgdscsi.sys
2007-06-14 04:14:30 -------- d-----w C:\Program Files\Trillian
2007-06-10 04:48:30 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-08 19:03:52 -------- d-----w C:\DOCUME~1\SKUNK-~1\APPLIC~1\Azureus
2007-06-05 22:33:47 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-03 02:20:19 -------- d-----w C:\DOCUME~1\SKUNK-~1\APPLIC~1\OpenOffice.org2
2007-05-30 18:10:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-12 12:15:38 -------- d-----w C:\Program Files\Microsoft Works
2007-05-05 22:38:37 -------- d-----w C:\Program Files\Microsoft SQL Server
2007-05-05 22:37:40 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-05 22:36:34 -------- d-----w C:\Program Files\Microsoft Device Emulator
2007-05-05 22:36:31 -------- d-----w C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2007-05-05 22:33:06 -------- d-----w C:\Program Files\MSBuild
2007-05-05 22:32:58 -------- d-----w C:\Program Files\HTML Help Workshop
2007-05-05 22:31:13 -------- d-----w C:\Program Files\Common Files\Merge Modules
2007-05-05 22:26:59 -------- d-----w C:\Program Files\Common Files\Business Objects
2007-05-05 22:25:39 -------- d-----w C:\Program Files\CE Remote Tools
2007-05-05 22:24:15 -------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-04-18 16:16:59 733,824 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-18 16:12:31 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-18 16:12:12 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-18 16:10:01 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-18 16:09:10 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-18 16:07:49 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-18 16:06:59 90,112 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-06 23:34:57 1,474 ----a-w C:\WINDOWS\checkip.dat
2007-04-03 20:09:56 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-03-27 07:55:31 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-18 12:13]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48]
"@"="" []
"GameDrive"="C:\Program Files\FarStone\GameDrive\GDP\GDTask.exe" [2007-06-14 13:38]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 06:12 C:\WINDOWS\soundman.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"SpybotSD TeaTimer"="F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^SKUNK-A-RIFIC^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=C:\Documents and Settings\SKUNK-A-RIFIC\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 1.1.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66b28bc1-d6a7-11d9-85fb-806d6172696f}]
AutoRun\command- D:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{994a53d4-eaaf-11da-b444-00e04cebbac3}]
AutoRun\command- E:\autorun.exe
*Newly Created Service* - GTNDIS5
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 19:39:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-14 19:40:19
C:\ComboFix-quarantined-files.txt ... 2007-06-14 19:40
C:\ComboFix2.txt ... 2007-06-13 23:49
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 7:42:49 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\FarStone\GameDrive\GDP\GDTask.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mycampus.aiu-online.com/login.aspx?ReturnUrl=%2fDefault.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [GameDrive] "C:\Program Files\FarStone\GameDrive\GDP\GDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2007FreeInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126517376031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169750804953
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
miekiemoes
2007-06-15, 08:25
Hi,
Your log is ok again, but I do see some files suddenly appearing in your combofix log+a folder that was created which I want to examine.
Do next please..
* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following bold part into the Suspicious File Packer window:
C:\WINDOWS\fgdscsi_2kxp.sys
C:\WINDOWS\system32\FSDataSvr.sys
C:\WINDOWS\system32\drivers\fgdscsi.sys
Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page (http://www.bleepingcomputer.com/submit-malware.php?channel=8).
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files .cab (the * stands for the date and hour).
Then click the Send File button below.
Can you let me know what is present in this folder:
C:\WINDOWS\system32\FSLUEX
Do you have an idea with what it is related? Did you install something recently? (yesterday).
Let me know
Okay. I submitted the file that you requested. As for having installed anything, I have not.
List of files in C:\Windows\System32\FSLUEX\
DLFList.dat
LUExInfo.log
LUextend.exe
ProdInfo.txt
UP_VGDShell.dll
No hidden files or folders.
Hmm...FS is probably Far Stone, and LU might stand for live update. My gamedrive imager (made by farstone) updates using an automated update system that is actually called Live Update, but I haven't messed with it at all. It is automated though, so that could be what caused it.
miekiemoes
2007-06-16, 01:54
Yes, this folder and files you've submitted are indeed related with Farstone.
So you should be ok here.
How are things now?
Well, my antivirus software hasn't made a peep since that last step, and I haven't seen a single hijacked window, so I'm guessing the coast is clear. Thanks for the help. I couldn't get the pre-boot stuff done, but it seems you have access to some pretty nifty programs there.
Again, thanks for the assist.
-Dagmoth
miekiemoes
2007-06-17, 19:09
Glad I could help. :)
Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).
Happy Surfing again!