Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Ad-Aware 2007 removed a trojan but i don't think its gone
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Ad-Aware 2007 removed a trojan but i don't think its gone  
Forum Quick Jump
 
New Topic Post reply to : Ad-Aware 2007 removed a trojan but i don't think its gone Printable version of : Ad-Aware 2007 removed a trojan but i don't think its gone
[ << Previous Thread | Next Thread >> ]

cctroublemaker12
New Member


Date Joined Sep 2006
Total Posts : 19
  		   Posted 5-5-2008 1:27 (GMT +1)    Quote: Ad-Aware 2007 removed a trojan but i don't think its goneAlert an admin about: Ad-Aware 2007 removed a trojan but i don't think its gone
I ran a hijackthis.log to make sure, but to my knowledge you need a specific fix to remove trojan viruses or else they just regenerate.

Here is the log i ran after i ran my Ad-Aware program and restarted the computer:

Logfile of HijackThis v1.99.1
Scan saved at 7:12:06 AM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\mmrtkrnl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\UTEC1\Desktop\Misc Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1260CFE4-5773-74AE-0A61-5D00CECD8C9F} - C:\WINDOWS\system32\eyqjv.dll
O2 - BHO: (no name) - {446E18FE-D73B-FABB-1C60-8D8DC926D7C9} - (no file)
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {9C76733E-BCFB-CE2E-8BA9-E1ABDB700194} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Realtime Audio Engine] "mmrtkrnl.exe" /i
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 16319
  		   Posted 5-5-2008 2:11 (GMT +1)    Quote: Ad-Aware 2007 removed a trojan but i don't think its goneAlert an admin about: Ad-Aware 2007 removed a trojan but i don't think its gone
Hello cool


Please download Combofix:
download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix



Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".


Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.


Post the contents of that log in your next reply with a new hijackthis log.

Do NOT post your problem in someone elses thread.

Back to Top
 

cctroublemaker12
New Member


Date Joined Sep 2006
Total Posts : 19
  		   Posted 5-5-2008 4:08 (GMT +1)    Quote: Ad-Aware 2007 removed a trojan but i don't think its goneAlert an admin about: Ad-Aware 2007 removed a trojan but i don't think its gone
Combofix Log

ComboFix 08-05-01.3 - UTEC1 2008-05-05 9:50:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT -5:00]
Running from: C:\Documents and Settings\UTEC1\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\UTEC1\Application Data\DOBE~1
C:\Documents and Settings\UTEC1\Application Data\MCROSO~1.NET
C:\Documents and Settings\UTEC1\Application Data\MCROSO~1.NET\?poolsv.exe
C:\Documents and Settings\UTEC1\Application Data\RACLE~1
C:\Documents and Settings\UTEC1\Application Data\SEMBLY~1
C:\Documents and Settings\UTEC1\My Documents\DOBE~1
C:\Documents and Settings\UTEC1\My Documents\DOBE~1\?dobe\
C:\Documents and Settings\UTEC1\My Documents\YSTEM~1
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\sstem3~1
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\mcroso~1
C:\Program Files\racle~1
C:\WINDOWS\asks~1
C:\WINDOWS\b103.exe
C:\WINDOWS\ppatch~1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\wcptr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-05 09:50 . 2008-05-05 09:50 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-04 11:13 . 2008-05-04 11:15 <DIR> d-------- C:\Program Files\CCleaner
2008-04-29 23:51 . 2008-04-29 17:44 3,632 --a------ C:\WINDOWS\hpbvnstp.hi1
2008-04-29 23:51 . 2008-04-29 17:44 1,084 --a------ C:\WINDOWS\hpbvnstp.bu1
2008-04-29 23:51 . 2008-04-29 17:45 659 --a------ C:\WINDOWS\hpbvspst.hi1
2008-04-29 23:51 . 2008-04-29 17:45 318 --a------ C:\WINDOWS\hpbvspst.bu1
2008-04-29 23:48 . 2008-04-29 23:48 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-04-29 19:34 . 2008-04-29 19:34 92,767 --------- C:\WINDOWS\hppins05.dat.temp
2008-04-29 19:34 . 2006-06-01 08:25 896 --------- C:\WINDOWS\hppmdl05.dat.temp
2008-04-29 18:28 . 2008-04-29 18:28 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-04-29 17:45 . 2008-04-29 23:59 93,130 --a------ C:\WINDOWS\hppins05.dat
2008-04-29 17:45 . 2006-06-01 08:25 896 --------- C:\WINDOWS\hppmdl05.dat
2008-04-29 17:44 . 2006-06-12 05:36 241,664 --a------ C:\WINDOWS\system32\hppapr04.DLL
2008-04-29 17:44 . 2006-06-12 05:36 118,784 -ra------ C:\WINDOWS\system32\hppcew04.dll
2008-04-29 17:44 . 2006-06-12 05:36 49,152 -ra------ C:\WINDOWS\system32\FXCompChannel.dll
2008-04-29 17:44 . 2006-06-12 05:36 17,024 -ra------ C:\WINDOWS\system32\drivers\hpfxgen.sys
2008-04-29 17:44 . 2006-06-12 05:36 9,344 -ra------ C:\WINDOWS\system32\drivers\hpfxbulk.sys
2008-04-29 17:44 . 2008-04-29 23:51 3,942 --a------ C:\WINDOWS\hpbvnstp.his
2008-04-29 17:44 . 2008-04-29 23:51 1,343 --a------ C:\WINDOWS\hpbvnstp.ini
2008-04-29 17:44 . 2008-04-29 23:51 803 --a------ C:\WINDOWS\hpbvspst.his
2008-04-29 17:44 . 2005-10-05 09:55 526 --a------ C:\WINDOWS\system32\hppapr04.DAT
2008-04-29 17:44 . 2008-04-29 23:51 462 --a------ C:\WINDOWS\hpbvspst.ini
2008-04-29 12:54 . 2008-04-29 12:54 1,409 --a------ C:\WINDOWS\INT1VECT.FOT
2008-04-27 07:18 . 2008-04-27 07:22 212 --a------ C:\WINDOWS\EIVADISP.INI
2008-04-25 18:50 . 2008-04-25 18:50 1,409 --a------ C:\WINDOWS\system32\tmpEC899.FOT
2008-04-25 18:50 . 2008-04-25 18:50 1,409 --a------ C:\WINDOWS\system32\tmpB4999.FOT
2008-04-25 18:50 . 2008-04-25 18:50 1,409 --a------ C:\WINDOWS\system32\tmp8C999.FOT
2008-04-25 03:14 . 2008-04-25 03:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 03:14 . 2008-04-25 03:14 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 11:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 11:10 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-05 11:10 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-05 11:10 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-05 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-05 10:41 --------- d-----w C:\Program Files\QPS
2008-05-04 16:18 --------- d-----w C:\Program Files\CyberLink
2008-05-01 12:38 75,912 ----a-w C:\Documents and Settings\UTEC1\Application Data\GDIPFONTCACHEV1.DAT
2008-04-30 04:59 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\HP
2008-04-30 04:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-30 04:55 --------- d-----w C:\Program Files\HP
2008-04-29 18:18 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\SpywareBot
2008-04-25 06:38 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\U3
2008-04-25 06:13 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\Apple Computer
2008-04-20 18:34 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\AVG7
2008-04-14 13:20 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\Image Zone Express
2008-04-04 14:54 --------- d-----w C:\Program Files\GPLGS
2008-04-04 14:53 --------- d-----w C:\Program Files\Acro Software
2008-03-31 03:25 --------- d-----w C:\Program Files\iTunes
2008-03-31 03:25 --------- d-----w C:\Program Files\iPod
2008-03-31 03:22 --------- d-----w C:\Program Files\Bonjour
2008-03-31 03:21 --------- d-----w C:\Program Files\QuickTime
2008-03-27 01:48 --------- d-----w C:\Program Files\TechSmith
2008-03-27 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-03-27 01:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 21:46 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 06:49 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\TeamViewer
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-11-19 14:49 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-07-29 21:24 472 --sha-r C:\WINDOWS\VVRFQzM\pplIkWg.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1260CFE4-5773-74AE-0A61-5D00CECD8C9F}]
2008-01-28 11:29 60928 --a------ C:\WINDOWS\system32\eyqjv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{446E18FE-D73B-FABB-1C60-8D8DC926D7C9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C76733E-BCFB-CE2E-8BA9-E1ABDB700194}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-06-14 14:51 8676848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 04:44 2744832 C:\WINDOWS\ALCWZRD.EXE]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 08:05 86016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-06-14 14:51 8676848]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 09:20 579584]
"Realtime Audio Engine"="mmrtkrnl.exe" [2007-05-23 14:16 70144 C:\WINDOWS\system32\mmrtkrnl.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"hpbdfawep"="C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 21:47 618496]
"ToolBoxFX"="C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 08:43 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 08:05 7557120]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 09:18 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-11-12 12:13:49 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-18 01:38:41 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AP Utility\\locator.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 HPFXBULK;HPFXBULK;C:\WINDOWS\system32\drivers\hpfxbulk.sys [2006-06-12 05:36]
S0 IFP300;iriver Internet Audio Player IFP-300;C:\WINDOWS\system32\DRIVERS\ifp300.sys []
S3 EdgeSer;Inside Out Networks Edgeport Driver;C:\WINDOWS\system32\DRIVERS\edgeser.sys [2005-07-14 09:01]
S3 Ionenum;Inside Out Networks Filter Driver;C:\WINDOWS\system32\DRIVERS\ionenum.sys [2004-01-21 15:53]
S3 PVDrv;PortVision Protocol;C:\WINDOWS\system32\DRIVERS\PVDrv.sys [2004-09-01 10:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{474c06ae-adf4-11dc-b5bb-00301bb7a23c}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68b9de2e-01aa-11dd-b5f0-00301bb7a23c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8eac3000-f8e2-11dc-b5e7-00301bb7a23c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb9afbcc-c6ef-11dc-b5d0-00301bb7a23c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3b4f8ad-28b5-11dc-b466-00301bb7a23c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-05-05 14:53:49 C:\WINDOWS\Tasks\RegCure Program Check.job"
- G:\RegCure\RegCure.exe
"2008-05-01 08:00:00 C:\WINDOWS\Tasks\RegCure.job"
- G:\RegCure\RegCure.exe
"2008-05-05 14:54:03 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 09:54:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-05-05 9:58:14 - machine was rebooted [UTEC1]
ComboFix-quarantined-files.txt 2008-05-05 14:58:11

Pre-Run: 229,692,960,768 bytes free
Post-Run: 230,000,320,512 bytes free

214 --- E O F --- 2008-05-02 16:17:34




Hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 9:59:55 AM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\mmrtkrnl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\UTEC1\Desktop\Misc Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1260CFE4-5773-74AE-0A61-5D00CECD8C9F} - C:\WINDOWS\system32\eyqjv.dll
O2 - BHO: (no name) - {446E18FE-D73B-FABB-1C60-8D8DC926D7C9} - (no file)
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {9C76733E-BCFB-CE2E-8BA9-E1ABDB700194} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Realtime Audio Engine] "mmrtkrnl.exe" /i
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 16319
  		   Posted 5-5-2008 6:37 (GMT +1)    Quote: Ad-Aware 2007 removed a trojan but i don't think its goneAlert an admin about: Ad-Aware 2007 removed a trojan but i don't think its gone
Open notepad and copy/paste the text in the quote box below into it:
Quote:
-----------------------------------------------------

KILLALL::

Snapshot::
File::
C:\WINDOWS\system32\eyqjv.dll
Folder::
C:\WINDOWS\VVRFQzM
C:\Documents and Settings\UTEC1\Application Data\SpywareBot
C:\Program Files\SpywareBot\SpywareBot.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1260CFE4-5773-74AE-0A61-5D00CECD8C9F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{446E18FE-D73B-FABB-1C60-8D8DC926D7C9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C76733E-BCFB-CE2E-8BA9-E1ABDB700194}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
""SpywareBot"=-


----------------------------------------------

Save this as CFScript.txt

www.fromsej.saknet.dk/billeder/cfscript.gif

At this point, You MUST EXIT ALL BROWSERS NOW before continuing!
Referring to the picture above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system.
It may reboot your system when it finishes. This is normal.


Post new hijackthis log along with fresh combofix log

Do NOT post your problem in someone elses thread.

Back to Top
 

cctroublemaker12
New Member


Date Joined Sep 2006
Total Posts : 19
  		   Posted 5-6-2008 6:26 (GMT +1)    Quote: Ad-Aware 2007 removed a trojan but i don't think its goneAlert an admin about: Ad-Aware 2007 removed a trojan but i don't think its gone
new Hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 12:18:02 AM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\mmrtkrnl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\UTEC1\Desktop\Misc Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Realtime Audio Engine] "mmrtkrnl.exe" /i
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe




New ComboFix log

ComboFix 08-05-01.3 - UTEC1 2008-05-06 0:02:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.651 [GMT -5:00]
Running from: C:\Documents and Settings\UTEC1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\UTEC1\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\eyqjv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\UTEC1\Application Data\SpywareBot
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\DataBase.ref
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Log\2008 May 05 - 07_10_29 AM_843.log
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Log\2008 May 05 - 07_10_30 AM_203.log
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Log\2008 May 05 - 07_10_31 AM_093.log
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Log\2008 May 05 - 07_10_31 AM_875.log
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Log\2008 May 05 - 09_54_01 AM_562.log
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Log\2008 May 05 - 09_54_02 AM_078.log
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Log\2008 May 05 - 09_54_03 AM_625.log
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Log\2008 May 05 - 09_54_04 AM_421.log
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\rs.dat
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Settings\CustomScan.stg
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Settings\IgnoreList.stg
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Settings\ScanInfo.stg
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Settings\SelectedFolders.stg
C:\Documents and Settings\UTEC1\Application Data\SpywareBot\Settings\Settings.stg
C:\Program Files\SpywareBot\SpywareBot.exe\
C:\WINDOWS\system32\eyqjv.dll
C:\WINDOWS\VVRFQzM
C:\WINDOWS\VVRFQzM\pplIkWg.vbs

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 00:10 . 2008-05-06 00:10 <DIR> d-------- C:\Documents and Settings\UTEC1\Application Data\SpywareBot
2008-05-05 09:50 . 2008-05-05 09:50 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-04 11:13 . 2008-05-04 11:15 <DIR> d-------- C:\Program Files\CCleaner
2008-04-29 23:51 . 2008-04-29 17:44 3,632 --a------ C:\WINDOWS\hpbvnstp.hi1
2008-04-29 23:51 . 2008-04-29 17:44 1,084 --a------ C:\WINDOWS\hpbvnstp.bu1
2008-04-29 23:51 . 2008-04-29 17:45 659 --a------ C:\WINDOWS\hpbvspst.hi1
2008-04-29 23:51 . 2008-04-29 17:45 318 --a------ C:\WINDOWS\hpbvspst.bu1
2008-04-29 23:48 . 2008-04-29 23:48 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-04-29 19:34 . 2008-04-29 19:34 92,767 --------- C:\WINDOWS\hppins05.dat.temp
2008-04-29 19:34 . 2006-06-01 08:25 896 --------- C:\WINDOWS\hppmdl05.dat.temp
2008-04-29 18:28 . 2008-04-29 18:28 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-04-29 17:45 . 2008-04-29 23:59 93,130 --a------ C:\WINDOWS\hppins05.dat
2008-04-29 17:45 . 2006-06-01 08:25 896 --------- C:\WINDOWS\hppmdl05.dat
2008-04-29 17:44 . 2006-06-12 05:36 241,664 --a------ C:\WINDOWS\system32\hppapr04.DLL
2008-04-29 17:44 . 2006-06-12 05:36 118,784 -ra------ C:\WINDOWS\system32\hppcew04.dll
2008-04-29 17:44 . 2006-06-12 05:36 49,152 -ra------ C:\WINDOWS\system32\FXCompChannel.dll
2008-04-29 17:44 . 2006-06-12 05:36 17,024 -ra------ C:\WINDOWS\system32\drivers\hpfxgen.sys
2008-04-29 17:44 . 2006-06-12 05:36 9,344 -ra------ C:\WINDOWS\system32\drivers\hpfxbulk.sys
2008-04-29 17:44 . 2008-04-29 23:51 3,942 --a------ C:\WINDOWS\hpbvnstp.his
2008-04-29 17:44 . 2008-04-29 23:51 1,343 --a------ C:\WINDOWS\hpbvnstp.ini
2008-04-29 17:44 . 2008-04-29 23:51 803 --a------ C:\WINDOWS\hpbvspst.his
2008-04-29 17:44 . 2005-10-05 09:55 526 --a------ C:\WINDOWS\system32\hppapr04.DAT
2008-04-29 17:44 . 2008-04-29 23:51 462 --a------ C:\WINDOWS\hpbvspst.ini
2008-04-29 12:54 . 2008-04-29 12:54 1,409 --a------ C:\WINDOWS\INT1VECT.FOT
2008-04-27 07:18 . 2008-04-27 07:22 212 --a------ C:\WINDOWS\EIVADISP.INI
2008-04-25 18:50 . 2008-04-25 18:50 1,409 --a------ C:\WINDOWS\system32\tmpEC899.FOT
2008-04-25 18:50 . 2008-04-25 18:50 1,409 --a------ C:\WINDOWS\system32\tmpB4999.FOT
2008-04-25 18:50 . 2008-04-25 18:50 1,409 --a------ C:\WINDOWS\system32\tmp8C999.FOT
2008-04-25 03:14 . 2008-04-25 03:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 03:14 . 2008-04-25 03:14 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 11:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 11:10 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-05 11:10 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-05 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-05 10:41 --------- d-----w C:\Program Files\QPS
2008-05-04 16:18 --------- d-----w C:\Program Files\CyberLink
2008-05-01 12:38 75,912 ----a-w C:\Documents and Settings\UTEC1\Application Data\GDIPFONTCACHEV1.DAT
2008-04-30 04:59 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\HP
2008-04-30 04:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-30 04:55 --------- d-----w C:\Program Files\HP
2008-04-25 06:38 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\U3
2008-04-25 06:13 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\Apple Computer
2008-04-20 18:34 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\AVG7
2008-04-14 13:20 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\Image Zone Express
2008-04-04 14:54 --------- d-----w C:\Program Files\GPLGS
2008-04-04 14:53 --------- d-----w C:\Program Files\Acro Software
2008-03-31 03:25 --------- d-----w C:\Program Files\iTunes
2008-03-31 03:25 --------- d-----w C:\Program Files\iPod
2008-03-31 03:22 --------- d-----w C:\Program Files\Bonjour
2008-03-31 03:21 --------- d-----w C:\Program Files\QuickTime
2008-03-27 01:48 --------- d-----w C:\Program Files\TechSmith
2008-03-27 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-03-27 01:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 21:46 --------- d-----w C:\Program Files\Java
2008-03-17 06:49 --------- d-----w C:\Documents and Settings\UTEC1\Application Data\TeamViewer
2007-11-19 14:49 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-06-14 14:51 8676848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 04:44 2744832 C:\WINDOWS\ALCWZRD.EXE]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 08:05 86016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-06-14 14:51 8676848]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 09:20 579584]
"Realtime Audio Engine"="mmrtkrnl.exe" [2007-05-23 14:16 70144 C:\WINDOWS\system32\mmrtkrnl.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"hpbdfawep"="C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 21:47 618496]
"ToolBoxFX"="C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 08:43 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 08:05 7557120]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 09:18 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-11-12 12:13:49 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-18 01:38:41 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AP Utility\\locator.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 HPFXBULK;HPFXBULK;C:\WINDOWS\system32\drivers\hpfxbulk.sys [2006-06-12 05:36]
S0 IFP300;iriver Internet Audio Player IFP-300;C:\WINDOWS\system32\DRIVERS\ifp300.sys []
S3 EdgeSer;Inside Out Networks Edgeport Driver;C:\WINDOWS\system32\DRIVERS\edgeser.sys [2005-07-14 09:01]
S3 Ionenum;Inside Out Networks Filter Driver;C:\WINDOWS\system32\DRIVERS\ionenum.sys [2004-01-21 15:53]
S3 PVDrv;PortVision Protocol;C:\WINDOWS\system32\DRIVERS\PVDrv.sys [2004-09-01 10:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{474c06ae-adf4-11dc-b5bb-00301bb7a23c}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68b9de2e-01aa-11dd-b5f0-00301bb7a23c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8eac3000-f8e2-11dc-b5e7-00301bb7a23c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb9afbcc-c6ef-11dc-b5d0-00301bb7a23c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3b4f8ad-28b5-11dc-b466-00301bb7a23c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 05:09:54 C:\WINDOWS\Tasks\RegCure Program Check.job"
- G:\RegCure\RegCure.exe
"2008-05-01 08:00:00 C:\WINDOWS\Tasks\RegCure.job"
- G:\RegCure\RegCure.exe
"2008-05-06 05:10:10 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 00:10:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2008-05-06 0:14:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 05:14:17
ComboFix2.txt 2008-05-05 14:58:15

Pre-Run: 230,025,465,856 bytes free
Post-Run: 230,009,569,280 bytes free

198 --- E O F --- 2008-05-02 16:17:34
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 16319
  		   Posted 5-6-2008 9:08 (GMT +1)    Quote: Ad-Aware 2007 removed a trojan but i don't think its goneAlert an admin about: Ad-Aware 2007 removed a trojan but i don't think its gone
Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe –boot
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe –boot



Reboot and tell how things are running ?

Do NOT post your problem in someone elses thread.

Back to Top
 

cctroublemaker12
New Member


Date Joined Sep 2006
Total Posts : 19
  		   Posted 5-6-2008 1:30 (GMT +1)    Quote: Ad-Aware 2007 removed a trojan but i don't think its goneAlert an admin about: Ad-Aware 2007 removed a trojan but i don't think its gone
I ran AVG Anti-Virus (Free Edition) and it did not find anything and then I ran Ad-Aware 2007 and the scan results list two items:

Win32.TrojanDownloader.Small
Win32.TrojanDropper

I don't know what TAI means but it has a # 7 & 10 next to the items listed respectively. I'm not sure if I should leave these two items alone, quarantine or remove them?

Please advise & thank you for all your help so far.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 16319
  		   Posted 5-12-2008 6:46 (GMT +1)    Quote: Ad-Aware 2007 removed a trojan but i don't think its goneAlert an admin about: Ad-Aware 2007 removed a trojan but i don't think its gone
Sorry for delay.

I suggest you remove or qurantine ->
Win32.TrojanDownloader.Small
Win32.TrojanDropper

Do NOT post your problem in someone elses thread.

Back to Top
 
New Topic Post reply to : Ad-Aware 2007 removed a trojan but i don't think its gone Printable version of : Ad-Aware 2007 removed a trojan but i don't think its gone
 
Forum Information
Currently it is Saturday, November 21, 2009 2:49 PM (GMT +1)
There are a total of 73.032 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 69 reply posts. View Active Threads
Who's Online
This forum has 30334 registered members. Please welcome our newest member, sushil.
33 Guest(s), 2 Registered Member(s) are currently online.  Details
superjesse, Smoke1
5 Latest Threads
Cannot install anti-virus softeware or do window updates... need help (17)21-11-2009 13:46:11 (superjesse)
Constant scanning andskipped files? (1)21-11-2009 10:08:33 (Dickens)
Michael Vick jerseys (1)21-11-2009 09:42:37 (Dickens)
Arizona Cardinals Jerseys (1)21-11-2009 09:37:23 (Dickens)
How to remove this Malware/Virus (0)21-11-2009 06:54:16 (bozzack)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard