Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Join the Team

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » Need HELP!!!

[Fixed] Hijackthis! Logs - Need HELP!!! posted in the Security & Safety forums; Hi, Today i suffered various spyware attacks on my pc after i have install zone alarm security software. I have found that some users encountered that too and after i ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 2 1 2 >
  #1  
Old 11-05-2007
pualo's Avatar
Bronze Member
My PC
 
Join Date: Nov 2007
Posts: 31
PC Experience: Experienced
pualo - See this Members User comments on their Profile page
Unhappy Need HELP!!!
Hi,

Today i suffered various spyware attacks on my pc after i have install zone alarm security software. I have found that some users encountered that too and after i have uninstalled it, the popups telling me that i am infected still persist and keeps advising me to download the Best antivirus software. I have managed to stop it using Avast antivirus and Ad-Aware. I also realised that my task manager is disabled, run on the start menu as well as the restart and shutdown icons are gone. I have managed to enable the task manager with TaskmangerFix, but the run option and the icons are still gone. I am still suffering for popups from funny websites and my registry is also disabled. Here is my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 6:47:24 AM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Paul\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! Singapore
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\jttqbhsn.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll
O2 - BHO: (no name) - {E271F4E9-D46E-4C7A-8608-AFDD4A87E582} - (no file)
O2 - BHO: {077d5e0a-ce84-26ba-9454-634429630a1f} - {f1a03692-4436-4549-ab62-48eca0e5d770} - C:\WINDOWS\system32\eweeqteg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\jttqbhsn.dll (file missing)
O4 - HKLM\..\Run: [] -
O4 - HKLM\..\Run: [d8b33215] rundll32.exe "C:\WINDOWS\system32\phdkeusb.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: crehcjid - C:\WINDOWS\SYSTEM32\crehcjid.dll
O20 - Winlogon Notify: jttqbhsn - jttqbhsn.dll (file missing)
O20 - Winlogon Notify: tuvwutu - tuvwutu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: Àøÿ - Àøÿ (file missing)
O20 - Winlogon Notify: ð 8ÿ - ð 8ÿ (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - -"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - -C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)

Thanks,
Pualo
Attached Files
File Type: log hijackthis.log (6.5 KB, 1 views)


Last edited by pualo; 11-05-2007 at 12:02 AM.
  #2  
Old 11-05-2007
Cowburn199's Avatar
Moderator
My PC
 
Join Date: Nov 2005
Location: England - Lancashire
Posts: 1,478
PC Experience: I know a fair amount, always learning
Cowburn199 - See this Members User comments on their Profile page Cowburn199 - See this Members User comments on their Profile page Cowburn199 - See this Members User comments on their Profile page Cowburn199 - See this Members User comments on their Profile page Cowburn199 - See this Members User comments on their Profile page Cowburn199 - See this Members User comments on their Profile page Cowburn199 - See this Members User comments on their Profile page Cowburn199 - See this Members User comments on their Profile page Cowburn199 - See this Members User comments on their Profile page Cowburn199 - See this Members User comments on their Profile page Cowburn199 - See this Members User comments on their Profile page
Send a message via MSN to Cowburn199
Default Re: Need HELP!!!
I have moved this to the HiJackThis! Log forum as it was accidently created in the [Fixed]HiJackThis! Log forum


__________________
BSOD's - PCHF Rules -Prework
If someone helped you, please consider clicking rate post
  #3  
Old 11-05-2007
pualo's Avatar
Bronze Member
My PC
 
Join Date: Nov 2007
Posts: 31
PC Experience: Experienced
pualo - See this Members User comments on their Profile page
Default Re: Need HELP!!!
"Waving Hands Around"

Can someone pls help me??
  #4  
Old 11-05-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,958
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Need HELP!!!
Whooops....sorry about the foul up.


Please download Combofix from HERE or HERE

Save ComboFix to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #5  
Old 11-07-2007
pualo's Avatar
Bronze Member
My PC
 
Join Date: Nov 2007
Posts: 31
PC Experience: Experienced
pualo - See this Members User comments on their Profile page
Default Re: Need HELP!!!
It's ok. Really glad that u r willing to help me. Let me thank u in advance. Actually after I posted for help, I created another account and deleted the old one. After that, everything seems normal again. I have also managed to delete some spyware using the a-squared free software. Nevertheless, I have followed ur instructions. Here are the log files:

ComboFix 07-11-07.3 - Safe 2007-11-07 9:27:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.523 [GMT 8:00]
Running from: F:\Paul\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\jttqbhsn.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_NTMLSVC
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SFSYNC02
-------\core
-------\NtmlSvc
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-07 09:26 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 01:40 <DIR> d-------- C:\Documents and Settings\Safe\Application Data\PowerChallenge
2007-11-06 01:12 <DIR> d-------- C:\Program Files\a-squared Free
2007-11-06 00:41 <DIR> d-------- C:\Documents and Settings\Safe\Contacts
2007-11-05 16:36 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-05 15:52 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-05 15:43 <DIR> d-------- C:\Documents and Settings\Safe\Application Data\Talkback
2007-11-05 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-05 14:23 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-05 14:23 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2007-11-05 14:23 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-05 14:23 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-05 14:23 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-05 06:09 <DIR> d-------- C:\Program Files\RegistryFix
2007-11-05 04:58 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-05 04:58 815,480 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-11-05 04:58 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-11-05 04:58 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-11-05 04:58 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-05 04:58 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-05 04:58 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-05 04:58 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-05 04:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-05 04:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-04 23:12 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-11-04 21:54 86,080 --a------ C:\WINDOWS\system32\phdkeusb.dll
2007-11-04 21:51 78,912 --a------ C:\WINDOWS\system32\eweeqteg.dll
2007-11-04 21:40 100,482 ---hs---- C:\WINDOWS\system32\xybeg.bak2
2007-11-04 14:11 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-04 10:07 28,160 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-11-04 09:56 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-11-04 09:56 58,640 --a------ C:\WINDOWS\zllsputility.exe
2007-11-04 09:56 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-11-04 09:56 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-04 09:40 6,465 ---hs---- C:\WINDOWS\system32\xybeg.bak1
2007-11-04 09:35 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-11-04 09:34 90,112 --a------ C:\WINDOWS\system32\crehcjid.dll
2007-11-04 09:34 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2007-11-04 09:33 <DIR> d-------- C:\WINDOWS\Web Download
2007-11-04 09:29 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-04 09:24 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-11-04 09:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-04 09:21 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-11-04 08:39 <DIR> d-------- C:\Program Files\Real Alternative
2007-11-03 07:46 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-10-31 22:33 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-10-28 17:29 <DIR> d-------- C:\WINDOWS\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-05 18:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-05 18:41 --------- d-----w C:\Program Files\NJStar Communicator
2007-11-04 19:54 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-04 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-03 10:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-29 01:52 --------- d-----w C:\Program Files\Java
2007-10-27 13:47 --------- d-----w C:\Program Files\TVU Player
2007-10-15 16:01 --------- d-----w C:\Program Files\DkZ Studio
2007-09-19 18:57 --------- d-----w C:\Program Files\tvants
2007-09-14 02:22 --------- d-----w C:\Program Files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f1a03692-4436-4549-ab62-48eca0e5d770}]
2007-11-04 21:51 78912 --a------ C:\WINDOWS\system32\eweeqteg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"d8b33215"="C:\WINDOWS\system32\phdkeusb.dll" [2007-11-04 21:54]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-10-25 23:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-19 06:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 18:01:04]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-09-07 12:46:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]
crehcjid.dll 2007-11-04 09:34 90112 C:\WINDOWS\system32\crehcjid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\HÈ0ÿ]
HÈ0ÿ

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jttqbhsn]
jttqbhsn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwutu]
tuvwutu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Àøÿ]
Àøÿ

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ð 8ÿ]
ð 8ÿ

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viam raid.sys
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\PCTINDIS5.SYS
S3 w550bus;Sony Ericsson W550 driver (WDM);C:\WINDOWS\system32\DRIVERS\w550bus.sys
S3 w550mdfl;Sony Ericsson W550 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w550mdfl.sys
S3 w550mdm;Sony Ericsson W550 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w550mdm.sys
S3 w550mgmt;Sony Ericsson W550 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w550mgmt.sys
S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w550obex.sys

.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 09:33:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-07 9:34:57 - machine was rebooted
.
--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 9:37:02 AM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Paul\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! Singapore
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll
O2 - BHO: {077d5e0a-ce84-26ba-9454-634429630a1f} - {f1a03692-4436-4549-ab62-48eca0e5d770} - C:\WINDOWS\system32\eweeqteg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll
O4 - HKLM\..\Run: [d8b33215] rundll32.exe "C:\WINDOWS\system32\phdkeusb.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: crehcjid - C:\WINDOWS\SYSTEM32\crehcjid.dll
O20 - Winlogon Notify: HÈ0ÿ - HÈ0ÿ (file missing)
O20 - Winlogon Notify: jttqbhsn - jttqbhsn.dll (file missing)
O20 - Winlogon Notify: tuvwutu - tuvwutu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: Àøÿ - Àøÿ (file missing)
O20 - Winlogon Notify: ð 8ÿ - ð 8ÿ (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - -"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)

Thanks again,
pualo
  #6  
Old 11-07-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,958
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Need HELP!!!
Ok.Combo has taken a few files out and now we need to remove the rest..


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\ztvunrar36.dll
C:\WINDOWS\system32\unrar3.dll
C:\WINDOWS\system32\ztvunace26.dll
C:\WINDOWS\system32\unacev2.dll
C:\WINDOWS\system32\ztvcabinet.dll
C:\WINDOWS\system32\phdkeusb.dll
C:\WINDOWS\system32\eweeqteg.dll
C:\WINDOWS\system32\xybeg.bak2
C:\WINDOWS\system32\xybeg.bak1
C:\WINDOWS\system32\crehcjid.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f1a03692-4436-4549-ab62-48eca0e5d770}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"d8b33215"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\HÈ0ÿ]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jttqbhsn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwutu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Àøÿ]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ð 8ÿ]
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*


__________________
  • An Australian Member of
  • and
My real name is Eddy
Last edited by Pancake; 11-07-2007 at 08:20 AM.

Reply
Satellite TV on your PC - over 3000 Channels! Click Here!
Page 1 of 2 1 2 >

Bookmarks

« Pc very slow and no Internet connection | Please help! Can't run anti-virus software or start in Safe Mode. »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On

Contact Us - PC Help Forum - Site Map - Privacy Statement - Top

All times are GMT +1. The time now is 10:18 PM.
Powered by vBulletin
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 RC7
All Graphics & Content Copyright © 2004-2008 - PC Help Forum.com


Back to Top