View Full Version : Trojan?
shortwave
2008-08-03, 11:50
Sorry for the post last night, is was panicking a bit!
As requested in Tashi's reply here is a link to that thread: http://forums.spybot.info/showthread.php?t=31949
and a Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:17, on 03/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-online.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:12080
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S136.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [InnovativeMemoryOptimizer] C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159614706021
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6401 bytes
Regards.
ndmmxiaomayi
2008-08-08, 13:23
Hello,
Step 1
Please go to Virus Total (http://www.virustotal.com/) or Jotti (http://virusscan.jotti.org/) and upload C:\Drivers\SECEDIT.EXE for scanning.
For Virus Total
Please copy and paste C:\Drivers\SECEDIT.EXE in the text box next to the Browse button.
Click on Send File.
For Jotti
Please copy and paste C:\Drivers\SECEDIT.EXE in the text box next to the Browse button.
Click on Submit.
Step 2
Open HijackThis.
Click on the Open the Misc Tools section button.
Look under System tools.
Click on the Open Uninstall Manager... button.
Click on the Save list... button.
It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
Notepad will open. Please post this log in your next reply.
In your next reply, please post:
Virus Total or Jotti's scan results
Uninstall List
A new HijackThis log
shortwave
2008-08-08, 20:28
As requested:
1/ VirusTotal log:
Antivirus Version Last Update Result
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.08 -
Authentium 5.1.0.4 2008.08.07 -
Avast 4.8.1195.0 2008.08.07 -
AVG 8.0.0.156 2008.08.08 -
BitDefender 7.2 2008.08.08 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.08 -
DrWeb 4.44.0.09170 2008.08.08 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6019 2008.08.08 -
Ewido 4.0 2008.08.08 -
F-Prot 4.4.4.56 2008.08.07 -
F-Secure 7.60.13501.0 2008.08.08 -
Fortinet 3.14.0.0 2008.08.08 -
GData 2.0.7306.1023 2008.08.08 -
Ikarus T3.1.1.34.0 2008.08.08 -
K7AntiVirus 7.10.408 2008.08.08 -
Kaspersky 7.0.0.125 2008.08.08 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.08 -
NOD32v2 3340 2008.08.08 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.08 -
PCTools 4.4.2.0 2008.08.08 -
Prevx1 V2 2008.08.08 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.08 -
Sunbelt 3.1.1537.1 2008.08.07 -
Symantec 10 2008.08.08 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.08 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.08 -
Webwasher-Gateway 6.6.2 2008.08.08 -
Additional information
File size: 24576 bytes
MD5...: f7bed38b1960e6a1b48825a9ca50ba79
SHA1..: 993c3ad173875d6b3d5c05b3df37c1fb404e2d2c
SHA256: 1bd11a55d35274633b7bccf65c4be9a12fad258df4a7b30c0019afa5739a9d98
SHA512: 3335abd4109bfff175de52c147ea5de49c7b21d71e5ca600a4b878fc62dfc5a7
7759d9b6fc114326ddc9dfd7173da0bee1e434adaea078b5bf62f81515af71e9
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x40114c
timedatestamp.....: 0x4295d82c (Thu May 26 14:07:40 2005)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x19c8 0x2000 2.89 95a4ad9a738ce8c79e7bd27d5ee42a49
.data 0x3000 0xa40 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x4000 0x10b0 0x2000 1.56 7ddbb5b7c20b1d66fd41602261bd6b52
( 1 imports )
> MSVBVM60.DLL: _CIcos, _adj_fptan, __vbaFreeVar, _adj_fdiv_m64, _adj_fprem1, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, -, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaVarDup, _CIatan, _allmul, _CItan, _CIexp
( 0 exports )
2/ Uninstall list:
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Shockwave Player 11
Apple Software Update
ArcSoft PhotoStudio 5.5
avast! Antivirus
Canon CanoScan Toolbox 5.0
CanoScan LiDE 600F
CCleaner (remove only)
ConvertHelper 2.1
Desktop Calendar 0.42b
DriverMax 3.0
EPSON Easy Photo Print
EPSON Printer Software
Eraser
Eraser
Express Burn
FastStone Image Viewer 3.2
Foxit PDF Editor
Foxit Reader
Google Earth
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Innovative System Optimizer - version 1.9
Intel(R) Graphics Media Accelerator Driver
IZArc 3.81
Java(TM) 6 Update 7
Juice 2.2
KWorld USB 2860 Device Driver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MozBackup 1.4.7
Mozilla Firefox (2.0.0.16)
Mozilla Thunderbird (2.0.0.16)
Mp3tag v2.40
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Network Stumbler 0.4.0 (remove only)
OpenOffice.org 2.4
Panasonic VS7_MX7_SA7_VS6 USB-Handset Manager
Panda ActiveScan
PC Inspector File Recovery
Picasa 2
PL-2303 USB-to-Serial
Presto! ImageFolio 4.2
QuickTime
RealPlayer
ScanSoft OmniPage SE 4.0
Screen Grab Pro
Secunia PSI (RC1)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Sonic RecordNow!
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Switch
V4000 Digital Camera Driver
VideoLAN VLC media player 0.8.6e
VSO CopyToDVD 3
WavePad Uninstall
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
ZoneAlarm
3/ New HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:20:35, on 08/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-online.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:12080
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S136.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [InnovativeMemoryOptimizer] C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159614706021
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6377 bytes
ndmmxiaomayi
2008-08-09, 07:08
Hello,
Please visit this website - http://www.bleepingcomputer.com/submit-malware.php?channel=1
In the Link to topic where this file was requested field, copy and paste in http://forums.spybot.info/showthread.php?p=221177#post221177
In the Browse to the file you want to submit, copy and paste in C:\Drivers\SECEDIT.EXE
Please go to Kaspersky website (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next reply, please post:
Kaspersky Antivirus scan report
A new HijackThis log
shortwave
2008-08-09, 12:45
Hi, I've submitted a report at Bleeping Computer, but can't use the Kaspersky online scanner. It asked for permission to install various components which I granted, but then came up with "License Expired" I'm sure I've seen other people reporting this problem.
ndmmxiaomayi
2008-08-09, 12:50
Sorry, I had given the wrong link. :red:
Please use this link - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
ndmmxiaomayi
2008-08-09, 13:10
Hello,
Do you own any NEC products?
shortwave
2008-08-09, 15:19
I've run the Kaspersky Online scanner and nothing was found so no logfile attached. New HiJackThis log here:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:10:47, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-online.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:12080
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S136.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [InnovativeMemoryOptimizer] C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159614706021
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6484 bytes
As the "suspect" file is currently in the Avast! Virus Chest you might be interested in the original HJT log from when I uploaded it to VirusTotal:
AhnLab-V3 - - -
AntiVir - - -
Authentium - - W32/Heuristic-210!Eldorado
Avast - - -
AVG - - PSW.Generic6.QOP
BitDefender - - -
CAT-QuickHeal - - TrojanSpy.Delf.cpa
ClamAV - - -
DrWeb - - -
eSafe - - Win32.Delf.cpa
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Heuristic-210!Eldorado
F-Secure - - Trojan-Spy.Win32.Delf.cpa
Fortinet - - -
GData - - Trojan-Spy.Win32.Delf.cpa
Ikarus - - Backdoor.Win32.Rbot.aeu
Kaspersky - - Trojan-Spy.Win32.Delf.cpa
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
PCTools - - Packed/ExeSt
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - Trojan-Spy.Win32.Delf.cpa
VirusBuster - - Packed/ExeSt
Webwasher-Gateway - - Win32.Malware.gen (suspicious)
Additional information
MD5: ba8499677092e44cf72224cc0b038816
SHA1: 64d5264e3501fbee1cd0f67ce01a067f405ed127
SHA256: afe14c48bada36c62a8455ef0f9be6818a56dcf6491ae5e423bb54e8cb2ceb68
SHA512: 22786517b117657075399875257be411f2be61c991b49f350eaa7a50b042429d4fe5f2a14f647033c4846c6639cf605ea1
Thanks.
shortwave
2008-08-09, 15:20
Further to your post #7 - Yes! the laptop is an NEC M5210.
ndmmxiaomayi
2008-08-09, 16:11
Hello,
Step 1
Disable avast! Antivirus temporarily
Please disable avast! Antivirus as it may interfere with the fixes. Remember to re-enable it back before posting the logs.
Right click on avast! Antivirus icon near the clock ( http://i100.photobucket.com/albums/m7/dasaki/avast.jpg ) and select Stop On-Access Protection.
Right click on this icon again and select Program Settings.
On the left, click on Troubleshooting.
Uncheck (untick) this box - Disable avast! self-defense module.
Click OK to apply the settings.
Disable Teatimer temporarily
Please disable Teatimer tempoarily as it may interfere with the fixes.
Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
Click on Mode > Advanced Mode. When it prompts you, click Yes.
On the left hand side, click on Tools.
Check (tick) this box if it is not yet ticked: Resident.
You will notice that Resident is now added under Tools. Click on Resident.
Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
Exit Spybot Search & Destroy.
Restart your computer for the changes to take effect.
Step 2
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once Recovery Console is installed, you should see a blue screen prompt like the one below:
http://img.photobucket.com/albums/v706/ried7/RC_whatnext.gif
Click Yes to allow Combofix to continue scanning for malware.
When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.
Do not mouse click on Combofix while it is running. That may cause it to stall.
In your next reply, please post:
Combofix log (C:\Combofix.txt)
A new HijackThis log
shortwave
2008-08-09, 16:54
Slight problem, I haven't got the Spybot icon showing in my Taskbar. I've gone into the Control panel and made sure it is ticked as "Always Show", applied and O.K.d but it doesn't appear. I'm sure it has been there in the past, but I normally have most items hidden.
ndmmxiaomayi
2008-08-09, 17:00
Hello,
You can ignore the first 2 steps for disabling Spybot Teatimer.
shortwave
2008-08-09, 17:34
Posting this from another machine. Just run ComboFix - it initially flagged up that Recovery Console was already installed, so after waiting for a couple of minutes I restarted it and it completed as per the instructions. When the log file had been produced the Spybot Teatimer popped up, first with a warning about Epson printer drivers which I denied, then "KernelFaultCheck". At this point I will wait for your advice.
ndmmxiaomayi
2008-08-09, 17:40
Can you try it in Safe Mode?
There's a lot of changes that needs to be made, and Teatimer will interfere. Hopefully, Safe Mode won't.
shortwave
2008-08-09, 17:50
May be a while - I got into Safe Mode but found that there are no icons for Avast! or Spybot in the Taskbar, so I will have to reboot back into normal mode disable them and then go back to Safe Mode.
ndmmxiaomayi
2008-08-09, 17:53
They aren't active in Safe Mode. ;)
shortwave
2008-08-09, 18:30
Oh well... Just started again in Safe Mode, I will try and copy the logs via a USB stick so I can post them via this P.C. and leave the NEC running in Safe Mode.
shortwave
2008-08-09, 18:38
It's just finished scanning, produced a logfile and now the TeaTimer's popped up again...
shortwave
2008-08-09, 18:49
New HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:47:19, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-online.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:12080
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [InnovativeMemoryOptimizer] C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S136.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159614706021
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6278 bytes
And Combofix log:
ComboFix 08-08-08.08 - Owner 2008-08-09 17:28:38.2 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.
2008-08-09 11:39 . 2008-08-09 11:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-08-09 11:39 . 2008-08-09 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-03 10:42 . 2008-08-03 10:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 17:01 . 2008-07-23 17:12 <DIR> d-------- C:\Program Files\Desktop Calendar
2008-07-19 22:01 . 2008-07-19 22:01 <DIR> d-------- C:\Program Files\Google
2008-07-18 13:27 . 2008-07-18 13:27 <DIR> d-------- C:\Program Files\IZArc
2008-07-10 13:54 . 2008-08-09 16:57 7,575,584 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-10 13:54 . 2008-08-09 16:57 78,092 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-10 13:51 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-07-10 13:51 . 2008-07-10 13:53 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 10:13 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-05 12:26 24,360 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-07-29 21:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-07-26 16:51 --------- d-----w C:\Program Files\Java
2008-07-25 19:23 --------- d-----w C:\Program Files\Microsoft Works
2008-07-18 15:54 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-10 12:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-09 08:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-06 21:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-06 20:59 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-06 20:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-26 15:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-06-26 15:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-06-26 12:13 --------- d-----w C:\Program Files\ConvertHelper
2008-06-21 22:34 --------- d-----w C:\Program Files\QuickTime
2008-06-21 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-21 22:31 --------- d-----w C:\Program Files\Apple Software Update
2008-06-21 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 17:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2006-09-21 19:31 81,920 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2006-09-21 19:31 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"Desktop Calendar"="C:\Program Files\Desktop Calendar\Desktop Calendar.exe" [2003-10-31 12:38 442368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-04-09 17:10 135168]
"SECEDIT"="C:\Drivers\SECEDIT.EXE" [2005-05-26 23:07 24576]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 10:47 131072]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 13:16 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 15:38 78008]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"InnovativeMemoryOptimizer"="C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe" [2004-05-27 18:02 581120]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Secunia PSI (RC1).lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Secunia PSI (RC1).lnk
backup=C:\WINDOWS\pss\Secunia PSI (RC1).lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emMON]
-ra------ 2006-12-15 08:54 61440 C:\WINDOWS\emMON.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 10:47 163840 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 12:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-01-13 10:46 135168 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CLSched"=2 (0x2)
"CLCapSvc"=2 (0x2)
"CyberLink Media Library Service"=2 (0x2)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"AOL ACS"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"CiSvc"=3 (0x3)
"seclogon"=2 (0x2)
"RasMan"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"WebClient"=2 (0x2)
"SSDPSRV"=3 (0x3)
"PolicyAgent"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\APPS\\Powercinema\\PowerCinema.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 15:35]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 15:37]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 03:12]
S3 pacdcacm;pacdcacm;C:\WINDOWS\system32\DRIVERS\pacdcacm.sys [2005-08-22 00:45]
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-02-19 09:24]
S3 USB28xxBGA;USB 2860 Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 13:20]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 13:19]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fb37896-f7a3-11da-b1cf-00038a000015}]
\Shell\AutoRun\command - E:\autorun.bat
.
Contents of the 'Scheduled Tasks' folder
2008-07-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h7sbz40n.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.tiscali.co.uk/index_first.html
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 17:32:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-09 17:35:48
ComboFix-quarantined-files.txt 2008-08-09 16:35:37
ComboFix2.txt 2008-08-09 15:28:31
Pre-Run: 15,667,888,128 bytes free
Post-Run: 15,646,527,488 bytes free
154 --- E O F --- 2008-07-09 14:57:34
ndmmxiaomayi
2008-08-10, 16:35
Hello,
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to a convenient location.
Double click on mbam-setup.exe to install it.
Before clicking the Finish button, make sure that these 2 boxes are checked (ticked): Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items except items in the C:\System Volume Information folder and click on Remove Selected.
http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/mbam1.png
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
In your next reply, please post:
A new HijackThis log
Malwarebytes' Anti-Malware scan report
ndmmxiaomayi
2008-08-10, 17:16
Hello again.
If you have any USB drives, please do the following:
Open My Computer.
Go to Tools > Folder Options.
Select the View tab.
Scroll down to Hidden files and folders.
Select Show hidden files and folders.
Uncheck (untick) Hide extensions of known file types.
Uncheck (untick) Hide protected operating system files (Recommended).
Click Yes when prompted.
Click OK.
Plug in your USB drive.
Open My Computer. Right click on your USB drive and select Explore.
If there's a file named autorun.bat, right click on this file and select Edit. Important! Do not double click on this file. It's executable.
Notepad will open. Please copy and paste the contents of the autorun.bat file in your next reply.
shortwave
2008-08-10, 18:17
Hi, I've downloaded and run Malwarebytes and found nothing although I'll post the log below. I had my USB drive plugged in and selected during this process to check that as well. I've just seen your other post so I've checked all my USB drives and a small HDD, for "Autorun.bat" and found nothing on any of them.
Malwarebytes' Anti-Malware 1.24
Database version: 1036
Windows 5.1.2600 Service Pack 2
16:59:54 10/08/2008
mbam-log-8-10-2008 (16-59-54).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 88746
Time elapsed: 46 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:01:08, on 10/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-online.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:12080
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [InnovativeMemoryOptimizer] C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S136.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159614706021
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6199 bytes
Regards.
shortwave
2008-08-11, 14:57
Update: I have also checked a Seagate 320 Gb USB HDD that we use to keep backups on. This had a copy of the suspect file on it, and sure enough Avast! picked it up. I deleted it from the options, and then ran a thorough scan again. This time it turned up in the "System Volume Information" section - I guess it had been sent there, so I deleted it again. I have since run a further scan with Avast!, the Kaspersky online scanner, SUPERAntispyware, and Malwarebytes, and it comes up clean. I have also repeated all these steps with a 8Gb USB pen drive that I keep some files on, and that too is clean.
Regards.
ndmmxiaomayi
2008-08-12, 15:46
Hello,
Please do not remove anything from System Volume Information. It's Windows System Restore folder.
That will break System Restore. :sad:
Other than than infected files in System Volume Information, are there any other issues?
shortwave
2008-08-12, 20:19
Sorry, this was the System Volume Restore in the external 320 Gb HDD - I had specifically selected this to be scanned. I still have restore points showing in the laptops's System Restore menu - the ComboFix created one, and two system check points. Can I now assume that my system is "clean"? I have been wondering all along if the Avast! detection was a false positive. I notice that none of my USB drives will autorun now. Even if I go into properties and select "Open folder to view files" and apply they will not open when plugged in. I have to go into "My Computer" and select "Open". Is this related to ComboFix and your question about Autorun.bat? I have been looking on Google and see there are several programmes to create autorun.ini files. Will one of these be of any use?
Regards.
shortwave
2008-08-12, 20:30
Should have read "System Volume Information" in the external 320 Gb HDD.
This seems to be working O.K. but if needed I would reformat it and upload the back ups again.
ndmmxiaomayi
2008-08-14, 02:44
Hello,
Can I now assume that my system is "clean"?
If you have no other issues, you can assume that. :)
System Restore points are expected to be infected, but not to worry about them. They are harmless, until you do a system restore.
I notice that none of my USB drives will autorun now.
One of the fixes caused that. For security reasons, it has been disabled. A lot of malware are abusing the autorun feature in USB drives to run malware automatically.
I would recommend that it stays this way to prevent such infections from affecting you. ;)
shortwave
2008-08-14, 12:03
Thanks for your help during what is obviously a very busy time. And also for the explanation regarding Autorun.
Regards.
ndmmxiaomayi
2008-08-16, 07:01
Glad to hear that. :)
Now that your computer is clean, please remove Combofix.
Remove Combofix
Click on Start > Run. Copy and paste in ComboFix /u and click OK. An image is below for reference.
http://xs121.xs.to/xs121/07484/remcf.PNG
Here are some prevention tips. You need not to install all programs recommended.
Keep your system updated
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.
Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates
Alternatively, you can visit the links below to update Windows and Office products.
Windows Update (http://update.microsoft.com/)
Office Update (http://office.microsoft.com/en-us/officeupdate/default.aspx)
If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:
Go to Start > Control Panel > Automatic Updates
Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.
Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.
Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.
Be careful when opening attachments and downloading files.
Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge (http://sourceforge.net/) or Pricelessware (http://www.pricelesswarehome.org/).
Surf safely
Many of the exploits are directed to users of Internet Explorer and Firefox.
Using Mozilla Firefox with NoScript add-on (https://addons.mozilla.org/en-US/firefox/addon/722) helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.
If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.
For Internet Explorer 7
Please read this article (http://surfthenetsafely.com/ieseczone8.htm) to configure Internet Explorer 7 properly.
Stop malicious scripts
Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript (http://www.symantec.com/avcenter/noscript.exe) by Symantec or Script Defender (http://www.analogx.com/contents/download/system/sdefend.htm) by AnalogX to handle these scripts.
Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article (http://www.microsoft.com/athome/security/update/howbackup.mspx) to learn how to backup. Follow this article (http://support.microsoft.com/kb/309340) by Microsoft to restore your backups.
Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer (http://www.bleepingcomputer.com/tutorials/tutorial127.html).
Avoid P2P
P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs (http://p2p.malwareremoval.com/) if you need to use one.
Prevent a re-infection
Winpatrol
Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here (http://www.winpatrol.com/features.html).
You can get a free copy (http://www.winpatrol.com/wpsetup.exe) of Winpatrol or use the Plus version (http://winpatrol.stores.yahoo.net/winplusmemre.html) for more features.
You can read Winpatrol's FAQ (http://www.winpatrol.com/faq.html) if you run into problems.
Spyware Blaster
SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX (http://surfthenetsafely.com/activex.htm) programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.
You can download SpywareBlaster from Javacool (http://www.javacoolsoftware.com/spywareblaster.html).
If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial (http://www.bleepingcomputer.com/tutorials/tutorial49.html) at Bleeping Computer.
SpywareGuard
Just as an antivirus program scans a file for viruses before opening it, SpywareGuard does the same thing, except that it scans it for spywares.
You can download SpywareGuard from Javacool (http://www.javacoolsoftware.com/spywareguard.html).
If you need help in using SpywareGuard, you can SpywareGuard's tutorial (http://www.bleepingcomputer.com/tutorials/tutorial50.html) at Bleeping Computer.
Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs (http://www.spywarewarrior.com/rogue_anti-spyware.htm) and Malwarebytes RogueNET (http://www.malwarebytes.org/roguenet.php). This will save you from a lot of trouble. If in doubt, don't ever download it.
SiteHound Toolbar
SiteHound (http://www.firetrust.com/en/products/sitehound) is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.
Use an alternative email client
If you are using Outlook Express as your default email client, try using Thunderbird (http://www.mozilla.com/en-US/thunderbird/) or Pegasus Mail (http://www.pmail.com/) instead.
Here are some more things to read about:
List of clean and infected download managers (http://www.safer-networking.org/en/articles/download-managers.html)
Configuring Skype (http://www.tcd.ie/iss/internet/skype.php)
Greater email safety (http://surfthenetsafely.com/surfsafely4.htm)
Phishing - what is it? (http://surfthenetsafely.com/phishing.htm)
Configuring Outlook Express (http://surfthenetsafely.com/slides/oeconfigureslide1.htm)
80 Super Security Tips (http://www.pcmag.com/article2/0,1895,1838690,00.asp)