Trojan Horse SHeur2.0GZ - Free Antivirus Forum

Trojan Horse SHeur2.0GZ

BullGuard Antivirus Forum > Virus Removal > Removal Tools > Trojan Horse SHeur2.0GZ

Forum Quick Jump

30 posts in this thread.
Viewing Page : 1 2

[ << Previous Thread | Next Thread >> ]

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-6-2009 5:58 (GMT +1)

I've AVG where it's been detecting this virus, Trojan Horse SHeur2.0GZ, for a while. After i use the computer for a while, there will be notice of windows encounter a generic host error in Win32 and it needs to shut the program. If i press debug, i will lose the audio for media player, if i close it, my computer will freeze.

I've googled on it and followed some advice of yours:

Download and unzip to own folder on Desktop - http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip

Run ViewpointKiller.exe

Reboot.

ViewpointKiller 1.2 Final

ViewpointKiller does exactly what it's name says: Kills Viewpoint Media Player. Viewpoint Media Player is an adware that displays bandwith eating popup ads in IE and on your desktop. It comes silently with an install of AIM and will be reinstalled by AIM if uninstalled.

ViewpointKiller fixes all of that. It takes off Viewpoint Media Player once and for all.

Download: CCleaner
http://www.majorgeeks.com/download4191.html
http://www.ccleaner.com/

Once installed, run CCleaner click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok

Then click Run Cleaner (bottom right) then Exit

Reboot

Please download Malwarebytes' Anti-Malware:

http://www.spywarefri.dk/downloads1/mbam-setup.exe

Or here:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Please connect all your external hard drive/flash drive before running Malwarebyte

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Post malwarebyte log

I've done that and this is my log file:

Malwarebytes' Anti-Malware 1.33
Database version: 1735
Windows 5.1.2600 Service Pack 2

2/7/2009 12:48:03 AM
mbam-log-2009-02-07 (00-48-03).txt

Scan type: Full Scan (C:\|D:\|E:\|H:\|)
Objects scanned: 161322
Time elapsed: 42 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Is it healed from my computer already? any next step??

Thanks for any help :)

Post Edited (dinkygenius) : 06-02-2009 16:59:23 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16754

Posted 2-7-2009 7:22 (GMT +1)

Hello dinkygenius smile

I suggest you post a combolog ->

Please download Combofix:

Http://download.bleepingcomputer.com/subs/combofix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-7-2009 7:27 (GMT +1)

Thanks Touch!

I'm going to installed the program soon.

Meanwhile an update: The problem still persists. I've met the generic host error twice this morning while awaiting your reply. This time my computers says that that's something wrong with my audio and i listen to music using i tunes too.

Thanks for everything!

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-7-2009 7:37 (GMT +1)

okay i have scan using combofix:

ComboFix 09-02-06.01 - Administrator 2009-02-07 14:32:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1370 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 )))))))))))))))))))))))))))))))
.

2009-02-07 00:03 . 2009-02-07 00:04 <DIR> d-------- c:\program files\view point killer
2009-02-07 00:01 . 2009-02-07 00:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-07 00:01 . 2009-02-07 00:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-07 00:01 . 2009-02-07 00:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-07 00:01 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-07 00:01 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-06 23:44 . 2009-02-06 23:44 <DIR> d-------- c:\program files\CCleaner
2009-02-02 14:45 . 2009-02-02 14:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-02-02 14:44 . 2009-02-02 14:44 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-02-02 14:44 . 2008-11-07 00:37 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2009-02-02 14:44 . 2008-09-25 02:41 839,680 --a------ c:\windows\system32\lameACM.acm
2009-02-02 14:44 . 2008-12-08 02:08 795,648 --a------ c:\windows\system32\xvidcore.dll
2009-02-02 14:44 . 2008-11-07 00:33 684,032 --a------ c:\windows\system32\divx.dll
2009-02-02 14:44 . 2004-01-26 00:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2009-02-02 14:44 . 2008-09-17 03:23 168,448 --a------ c:\windows\system32\unrar.dll
2009-02-02 14:44 . 2008-12-08 02:08 130,048 --a------ c:\windows\system32\xvidvfw.dll
2009-02-02 14:44 . 2007-09-21 08:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2009-02-02 14:44 . 2008-12-11 08:33 86,016 --a------ c:\windows\system32\dpl100.dll
2009-02-02 14:44 . 2008-12-08 19:53 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-02-02 14:44 . 2007-07-11 00:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-02 14:44 . 2008-10-03 20:30 414 --a------ c:\windows\system32\lame_acm.xml
2009-01-29 09:34 . 2009-01-29 09:34 268 --ah----- C:\sqmdata13.sqm
2009-01-29 09:34 . 2009-01-29 09:34 244 --ah----- C:\sqmnoopt13.sqm
2009-01-21 16:05 . 2009-01-21 16:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Oberonv1001
2009-01-21 12:45 . 2009-02-06 12:14 <DIR> dr-h----- C:\$VAULT$.AVG
2009-01-14 23:26 . 2009-01-15 00:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ForgottenRiddles2
2009-01-14 19:56 . 2009-01-14 19:56 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-11 23:22 . 2009-01-11 23:22 268 --ah----- C:\sqmdata12.sqm
2009-01-11 23:22 . 2009-01-11 23:22 244 --ah----- C:\sqmnoopt12.sqm
2009-01-11 19:29 . 2009-01-11 19:29 268 --ah----- C:\sqmdata11.sqm
2009-01-11 19:29 . 2009-01-11 19:29 244 --ah----- C:\sqmnoopt11.sqm
2009-01-11 18:28 . 2009-01-11 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Gogii
2009-01-11 18:27 . 2009-01-21 16:04 <DIR> d-------- c:\program files\Oberon Media
2009-01-11 15:32 . 2009-01-11 15:32 268 --ah----- C:\sqmdata10.sqm
2009-01-11 15:32 . 2009-01-11 15:32 244 --ah----- C:\sqmnoopt10.sqm
2009-01-10 11:51 . 2009-01-10 11:51 268 --ah----- C:\sqmdata09.sqm
2009-01-10 11:51 . 2009-01-10 11:51 244 --ah----- C:\sqmnoopt09.sqm
2009-01-10 11:08 . 2009-01-10 11:08 <DIR> d-------- C:\users
2009-01-09 21:25 . 2009-01-09 21:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-01-08 17:01 . 2009-01-08 17:01 268 --ah----- C:\sqmdata08.sqm
2009-01-08 17:01 . 2009-01-08 17:01 244 --ah----- C:\sqmnoopt08.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-07 00:00 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2009-02-05 06:49 --------- d-----w c:\program files\Diablo II
2009-02-02 08:49 --------- d-----w c:\program files\StepMania
2009-01-21 08:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-19 04:58 --------- d-----w c:\program files\Common Files\Adobe
2009-01-16 00:53 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-16 00:48 --------- d-----w c:\documents and settings\Administrator\Application Data\Samsung
2009-01-14 11:56 --------- d-----w c:\program files\Java
2009-01-11 12:50 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-28 11:35 --------- d-----w c:\program files\iTunes
2008-12-28 11:35 --------- d-----w c:\program files\iPod
2008-12-28 11:35 --------- d-----w c:\program files\Common Files\Apple
2008-12-28 11:35 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-28 11:34 --------- d-----w c:\program files\QuickTime
2008-12-26 02:54 --------- d-----w c:\program files\Ubisoft
2008-12-24 10:12 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-24 09:51 --------- d-----w c:\program files\CAPCOM
2006-05-12 15:19 60,518 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-05-12 15:19 49,248 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-05-12 15:19 165,992 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2006-05-20 22:23 360448 9c515b8621d34478dfaa89b6b5434a54 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-02-04 62464]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-05-20 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-05-06 6656]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-05-20 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-05-20 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-05-20 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-05-20 455168]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-17 590848]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-18 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-14 136600]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-05-20 15360]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-02-04 62464]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2008-01-21 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva204;XDva204;\??\c:\windows\system32\XDva204.sys --> c:\windows\system32\XDva204.sys [?]
S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys --> c:\windows\system32\XDva208.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd54aa0b-4019-11dd-b1d3-00e04d44ef48}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sg/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-07 14:32:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-07 14:33:48
ComboFix-quarantined-files.txt 2009-02-07 06:33:46

Pre-Run: 86,349,328,384 bytes free
Post-Run: 86,340,698,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

175

what should i do now?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16754

Posted 2-7-2009 8:04 (GMT +1)

Please upload and have these file scanned:

c:\windows\system32\drivers\tcpip.sys

c:\windows\system32\XDva195.sys

Here:

http://virusscan.jotti.org/ - http://www.virustotal.com/en/indexf.html

Post back the results

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Post Edited (Touch) : 07-02-2009 07:09:31 GMT

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-7-2009 8:22 (GMT +1)

Service load: 0% 100%

File: tcpip.sys
Status: OK
MD5: 9c515b8621d34478dfaa89b6b5434a54
Packers detected: -

Scanner results
Scan taken on 07 Feb 2009 07:16:14 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

I'm unable to find c:\windows\system32\XDva195.sys for a scan

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16754

Posted 2-7-2009 8:31 (GMT +1)

1. Click Start button, then go to Programs, Accessories and click on Windows Explorer.
2. Select the Tools menu and click Folder Options.
3. Select the View Tab.
4. Under the "Hidden files and folders" heading please check Show hidden files and folders.
5. Uncheck the Hide protected operating system files (Recommended) option.
6. Click Yes to confirm.
7. Click OK.

See if you can find c:\windows\system32\XDva195.sys now

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-7-2009 8:45 (GMT +1)

sorry nope, i still can't find it. there's no XDva in it.. :(

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-7-2009 9:49 (GMT +1)

in addition, my AVG has found 2 new virus.

I-worm\Generic.CQL in C:\Documents and settings\NetworkService\Local Settings\Temporary internet files\contents.IE5\2PMBQVE

Worm\downloadadup in C:\Documents and settings\NetworkService\Local Settings\Temporary internet files\contents.IE5\2PMBQVE

is it the same thing? sorry i'm kind of a noob in this kind of things

Post Edited (dinkygenius) : 07-02-2009 08:50:09 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16754

Posted 2-8-2009 5:28 (GMT +1)

Ok.

Please download FileLook by jpshortstuff and save to your Desktop.

Double-click FileLook.exe to run it.
Important! If using Windows Vista, be sure to Run As Administrator.
Ensure that BBCode Ouput is checked. Copy and paste everything in the code box below into the empty textfield under FileLook by...

Code:

c:\windows\system32\XDva195.sys

Click the FileLook button to start the scan.
When finished, Notepad will open with the results of the scan in a text file named fl_log.txt which will automatically be saved to the root of your system drive. (Typically C:\fl_log.txt)

Please copy and paste the contents of this log in your next reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-8-2009 6:42 (GMT +1)

FileLook.exe v2.0 by jpshortstuff
Log created at 13:41 on 08/02/2009
==================================
FileLook - "XDva195.sys"

Unable to find file.

==============================

=EOF=

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16754

Posted 2-8-2009 6:51 (GMT +1)

That´s odd rolleyes

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Killall::

Snapshot::

File::

c:\windows\system32\XDva195.sys
c:\windows\system32\XDva204.sys
c:\windows\system32\XDva208.sys

Driver::

XDva195

XDva204

XDva208

Save this as:
CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

Then post fresh combofix log.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-8-2009 7:16 (GMT +1)

oh no... is it bad?? anyway this is the latest combofix:

ComboFix 09-02-06.04 - Administrator 2009-02-08 14:09:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1584 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\XDva195.sys
c:\windows\system32\XDva204.sys
c:\windows\system32\XDva208.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\svhost.exe
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\temp
c:\windows\temp\77.exe
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Legacy_XDVA195
-------\Legacy_XDVA204
-------\Legacy_XDVA208
-------\Service_sysdrv32
-------\Service_XDva195
-------\Service_XDva204
-------\Service_XDva208

((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-08 13:47 . 2009-02-08 13:47 26,624 --a------ c:\windows\system32\56.scr
2009-02-08 12:38 . 2009-02-08 12:38 26,624 --a------ c:\windows\system32\10.scr
2009-02-07 00:03 . 2009-02-07 00:04 <DIR> d-------- c:\program files\view point killer
2009-02-07 00:01 . 2009-02-07 00:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-07 00:01 . 2009-02-07 00:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-07 00:01 . 2009-02-07 00:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-07 00:01 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-07 00:01 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-06 23:44 . 2009-02-06 23:44 <DIR> d-------- c:\program files\CCleaner
2009-02-02 14:45 . 2009-02-02 14:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-02-02 14:44 . 2009-02-02 14:44 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-02-02 14:44 . 2008-11-07 00:37 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2009-02-02 14:44 . 2008-09-25 02:41 839,680 --a------ c:\windows\system32\lameACM.acm
2009-02-02 14:44 . 2008-12-08 02:08 795,648 --a------ c:\windows\system32\xvidcore.dll
2009-02-02 14:44 . 2008-11-07 00:33 684,032 --a------ c:\windows\system32\divx.dll
2009-02-02 14:44 . 2004-01-26 00:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2009-02-02 14:44 . 2008-09-17 03:23 168,448 --a------ c:\windows\system32\unrar.dll
2009-02-02 14:44 . 2008-12-08 02:08 130,048 --a------ c:\windows\system32\xvidvfw.dll
2009-02-02 14:44 . 2007-09-21 08:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2009-02-02 14:44 . 2008-12-11 08:33 86,016 --a------ c:\windows\system32\dpl100.dll
2009-02-02 14:44 . 2008-12-08 19:53 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-02-02 14:44 . 2007-07-11 00:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-02 14:44 . 2008-10-03 20:30 414 --a------ c:\windows\system32\lame_acm.xml
2009-01-29 09:34 . 2009-01-29 09:34 268 --ah----- C:\sqmdata13.sqm
2009-01-29 09:34 . 2009-01-29 09:34 244 --ah----- C:\sqmnoopt13.sqm
2009-01-21 16:05 . 2009-01-21 16:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Oberonv1001
2009-01-21 12:45 . 2009-02-07 16:41 <DIR> dr-h----- C:\$VAULT$.AVG
2009-01-14 23:26 . 2009-01-15 00:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ForgottenRiddles2
2009-01-14 19:56 . 2009-01-14 19:56 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-11 23:22 . 2009-01-11 23:22 268 --ah----- C:\sqmdata12.sqm
2009-01-11 23:22 . 2009-01-11 23:22 244 --ah----- C:\sqmnoopt12.sqm
2009-01-11 19:29 . 2009-01-11 19:29 268 --ah----- C:\sqmdata11.sqm
2009-01-11 19:29 . 2009-01-11 19:29 244 --ah----- C:\sqmnoopt11.sqm
2009-01-11 18:28 . 2009-01-11 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Gogii
2009-01-11 18:27 . 2009-01-21 16:04 <DIR> d-------- c:\program files\Oberon Media
2009-01-11 15:32 . 2009-01-11 15:32 268 --ah----- C:\sqmdata10.sqm
2009-01-11 15:32 . 2009-01-11 15:32 244 --ah----- C:\sqmnoopt10.sqm
2009-01-10 11:51 . 2009-01-10 11:51 268 --ah----- C:\sqmdata09.sqm
2009-01-10 11:51 . 2009-01-10 11:51 244 --ah----- C:\sqmnoopt09.sqm
2009-01-10 11:08 . 2009-01-10 11:08 <DIR> d-------- C:\users
2009-01-09 21:25 . 2009-01-09 21:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-01-08 17:01 . 2009-01-08 17:01 268 --ah----- C:\sqmdata08.sqm
2009-01-08 17:01 . 2009-01-08 17:01 244 --ah----- C:\sqmnoopt08.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 01:56 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2009-02-05 06:49 --------- d-----w c:\program files\Diablo II
2009-02-02 08:49 --------- d-----w c:\program files\StepMania
2009-01-21 08:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-19 04:58 --------- d-----w c:\program files\Common Files\Adobe
2009-01-16 00:53 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-16 00:48 --------- d-----w c:\documents and settings\Administrator\Application Data\Samsung
2009-01-14 11:56 --------- d-----w c:\program files\Java
2009-01-11 12:50 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-28 11:35 --------- d-----w c:\program files\iTunes
2008-12-28 11:35 --------- d-----w c:\program files\iPod
2008-12-28 11:35 --------- d-----w c:\program files\Common Files\Apple
2008-12-28 11:35 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-28 11:34 --------- d-----w c:\program files\QuickTime
2008-12-26 02:54 --------- d-----w c:\program files\Ubisoft
2008-12-24 10:12 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-24 09:51 --------- d-----w c:\program files\CAPCOM
2006-05-12 15:19 60,518 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-05-12 15:19 49,248 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-05-12 15:19 165,992 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2006-05-20 22:23 360448 9c515b8621d34478dfaa89b6b5434a54 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-02-04 62464]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-05-20 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-05-06 6656]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-05-20 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-05-20 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-05-20 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-05-20 455168]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-17 590848]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-18 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-14 136600]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-05-20 15360]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-02-04 62464]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2008-01-21 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WindowsTelephony]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\System32\\10.scr"=
"c:\\WINDOWS\\System32\\56.scr"=

S2 WindowsTelephony;Windows Telephony;"c:\windows\system\svhost.exe" --> c:\windows\system\svhost.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sg/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 14:12:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe
c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-08 14:14:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-08 06:14:03
ComboFix2.txt 2009-02-07 06:33:49

Pre-Run: 86,359,105,536 bytes free
Post-Run: 86,295,150,592 bytes free

210

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16754

Posted 2-8-2009 7:40 (GMT +1)

It´s not bad ;-)

Click Start, then select Run from the Start Menu.

Type in services.msc - then Click OK or press Enter.

Right-Click on:

WindowsTelephony

Select "Disabled" from the dropdown next to "Startup Type"

in the Service Properties dialog, then Click OK or press Enter.

Download this version of Hijackthis from http://danborg.org/spy/hjt/alternativ.exe

Save it in a permanent folder of your choice, such as C:\HJT\. To create this specific folder on your hard drive: Double click the 'My Computer' icon on your desktop, then under the category hard disk drives: double click Local Disk:, then select file->New -> Folder and name it HJT

Run hijackthis. (alternativ exe).

Choose the "Do a system scan and save a log file" option to perform your scan.

HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.

Open the text files containing the logs with a text editor and click Edit -> Select All, followed by Edit -> Copy.
From within the browser window and with the message body text box selected, click Edit -> Paste.

Post hijackthis log, and tell how things are running ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-8-2009 7:46 (GMT +1)

Logfile of HijackThis v1.99.1
Scan saved at 2:46:00 PM, on 2/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\mmc.exe
C:\HJT\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213568714411
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213568673614
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-8-2009 7:51 (GMT +1)

things are running okay for now.. so is it clear now??

btw there seems to be alot of folder like desktop and thumbs etc.. do i ignore it??

thanks so much for your help!!! C-=

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16754

Posted 2-8-2009 7:59 (GMT +1)

It´s clean - good job smile

The thumbs files/folders will disappear now ->

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.

I also suggest you read Tony Klein´s article :

So how did I get infected in the first place.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-8-2009 8:12 (GMT +1)

ok.. there is a thumb on my desktop.. i juz move it to recycle bin and empty it.. is that ok???

thanks for everything!!! its it really clean now??? omg thanks a bunch!!!!

Post Edited (dinkygenius) : 08-02-2009 07:39:57 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16754

Posted 2-8-2009 8:36 (GMT +1)

You can type in restore point - Her/Now or whatever you like.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-8-2009 8:41 (GMT +1)

haha.. i sort figure out that i can type in anything... thanks ya

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-8-2009 1:20 (GMT +1)

oh no.. the generic host error in Win32 is back again!!

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16754

Posted 2-8-2009 4:58 (GMT +1)

Go to Start->Settings->Control Panel->Administrative Tools, and click on "Event Viewer".

The Event Viewer utility will allow you to review your system and application log files. Double-click on any error/warning entries you find that might relate to the problem and see if you can cut-n-paste that info here.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-8-2009 5:53 (GMT +1)

hi.. the picture is as attached

Image Attachment :

4.jpg 7KB (image/pjpeg)

This image has been viewed 73 time(s).

Image Attachment :

5.jpg 5KB (image/pjpeg)

This image has been viewed 72 time(s).

Image Attachment :

6.jpg 8KB (image/pjpeg)

This image has been viewed 75 time(s).

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16754

Posted 2-9-2009 7:11 (GMT +1)

I can´t read the pictures, very small fonts ;-)

See if you can save in a txt/doc document

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

dinkygenius
New Member

Date Joined Feb 2009
Total Posts : 16

Posted 2-9-2009 12:21 (GMT +1)

oppss.. sorry... now i cant print out my lecture notes... the computer can't sense the printer although the printer icon signify that it's ready :(

would it be better if i just reformat the computer??

Image Attachment :

1.jpg 161KB (image/pjpeg)

This image has been viewed 76 time(s).

Image Attachment :

2.jpg 175KB (image/pjpeg)

This image has been viewed 73 time(s).

Image Attachment :

3.bmp 224KB (image/bmp)

This image has been viewed 71 time(s).

30 posts in this thread.
Viewing Page : 1 2

Forum Information

Currently it is Wednesday, March 17, 2010 9:15 PM (GMT +1)
There are a total of 76.277 posts in 17.610 threads.
In the last 3 days there were 11 new threads and 60 reply posts. View Active Threads