I got trojens on my computer and i am unable to get rid of them

BullGuard Antivirus Forum > Virus Removal > Removal Help > I got trojens on my computer and i am unable to get rid of them

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Tux_Cito4u
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-28-2008 10:41 (GMT +1)

ComboFix 08-09-27.05 - Owner 2009-01-28 14:27:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.202 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-28 13:35 . 2009-01-28 13:35 <DIR> d-------- C:\Program Files\CCleaner
2009-01-28 13:29 . 2009-01-28 13:29 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2009-01-27 22:01 . 2009-01-27 22:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2009-01-27 13:36 . 2009-01-27 13:36 0 --a------ C:\WINDOWS\system32\08rvYouC.exe.a_a
2009-01-27 11:36 . 2009-01-28 12:37 39,426 --a------ C:\WINDOWS\system32\08rvYouC.exe
2009-01-27 11:21 . 2009-01-27 11:20 30,272 --a------ C:\WINDOWS\system32\Le252lo3.exe
2009-01-27 11:21 . 2009-01-27 11:21 0 --a------ C:\WINDOWS\system32\Le252lo3.exe.a_a
2009-01-24 18:07 . 2009-01-24 18:07 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2009-01-24 18:07 . 2009-01-24 18:07 <DIR> d-------- C:\Program Files\Adobe Media Player
2009-01-18 12:24 . 2009-01-18 12:24 <DIR> d-------- C:\Program Files\Veoh Networks
2009-01-18 12:06 . 2009-01-18 12:06 <DIR> d-------- C:\WINDOWS\system32\scripting
2009-01-18 12:06 . 2009-01-18 12:06 <DIR> d-------- C:\WINDOWS\system32\en
2009-01-18 12:06 . 2009-01-18 12:06 <DIR> d-------- C:\WINDOWS\l2schemas
2009-01-17 09:18 . 2008-04-13 16:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2009-01-17 09:18 . 2008-04-13 16:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2009-01-17 09:18 . 2008-04-13 16:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2009-01-17 09:18 . 2008-04-13 16:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2009-01-17 09:18 . 2008-04-13 10:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2009-01-17 09:16 . 2008-04-13 16:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2009-01-16 11:50 . 2009-01-16 11:50 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2009-01-16 11:32 . 2009-01-16 11:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2009-01-16 11:32 . 2009-01-16 11:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2009-01-16 11:32 . 2009-01-16 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-16 11:31 . 2009-01-28 13:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2009-01-12 11:38 . 2009-01-12 11:39 <DIR> d-------- C:\Program Files\GameTap
2009-01-12 11:38 . 2009-01-12 11:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2009-01-12 11:38 . 2009-01-12 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2009-01-02 21:15 . 2009-01-02 21:15 <DIR> d-------- C:\Program Files\Setup NetZero
2008-12-29 16:43 . 2008-12-29 16:43 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-12-29 16:41 . 2008-12-29 16:41 <DIR> d-------- C:\Program Files\Real
2008-12-29 16:41 . 2007-12-20 08:10 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-12-29 16:41 . 2007-12-20 08:10 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 19:42 --------- d-----w C:\Program Files\Starcraft
2009-01-18 20:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2009-01-18 20:21 --------- d-----w C:\Program Files\The Weather Channel FW
2009-01-18 20:20 --------- d-----w C:\Program Files\EVEMon
2009-01-18 20:20 --------- d-----w C:\Program Files\Cosmi
2009-01-10 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-30 00:42 --------- d-----w C:\Program Files\Common Files\Real
2008-12-28 00:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\CCP
2008-12-28 00:16 --------- d-----w C:\Program Files\CCP
2008-12-26 20:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\EVEMon
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-29 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-06-19 50528]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-06-21 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-12-29 185896]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Media Player.lnk - C:\Program Files\Adobe Media Player\Adobe Media Player.exe [2009-01-24 260096]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-04-29 20:58 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7qnded61.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com/?src=aim
FF -: plugin - C:\Program Files\GameTap\bin\Release\npgametaptool.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 14:30:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-28 14:32:58
ComboFix-quarantined-files.txt 2009-01-28 22:32:54

Pre-Run: 24,978,685,952 bytes free
Post-Run: 25,113,874,432 bytes free

126 --- E O F --- 2009-01-20 06:48:35

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:08 PM, on 1/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197481332468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197674781921
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5659 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-29-2008 6:58 (GMT +1)

Hello

I notice that you do not seem to be running antivirus software.This is somewhat suicidal in today's digital world.
Avast! makes an excellent free antivirus client.

Install, update it, run a complete systemscan.

Reboot.

Please download Malwarebytes' Anti-Malware:

http://www.spywarefri.dk/downloads1/mbam-setup.exe

Or here:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Copy and Paste that log into your next reply, along with fresh combofix log.

NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Tux_Cito4u
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-30-2008 4:58 (GMT +1)

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 3

1/29/2009 12:34:17 PM
mbam-log-2009-01-29 (12-34-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 72986
Time elapsed: 27 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\08rvYouC.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Le252lo3.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

ComboFix 08-09-28.03 - Owner 2009-01-29 20:49:59.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.175 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-29 12:04 . 2009-01-29 12:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-29 12:04 . 2009-01-29 12:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-01-29 12:04 . 2009-01-29 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-29 12:04 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-01-29 12:04 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2009-01-29 11:08 . 2009-01-29 11:08 <DIR> d-------- C:\Program Files\Alwil Software
2009-01-29 11:08 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2009-01-28 13:35 . 2009-01-28 13:35 <DIR> d-------- C:\Program Files\CCleaner
2009-01-28 13:29 . 2009-01-28 13:29 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2009-01-27 22:01 . 2009-01-27 22:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2009-01-27 11:21 . 2009-01-27 11:20 30,272 --a------ C:\WINDOWS\system32\Le252lo3.exe
2009-01-24 18:07 . 2009-01-24 18:07 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2009-01-24 18:07 . 2009-01-24 18:07 <DIR> d-------- C:\Program Files\Adobe Media Player
2009-01-18 12:24 . 2009-01-18 12:24 <DIR> d-------- C:\Program Files\Veoh Networks
2009-01-18 12:06 . 2009-01-18 12:06 <DIR> d-------- C:\WINDOWS\system32\scripting
2009-01-18 12:06 . 2009-01-18 12:06 <DIR> d-------- C:\WINDOWS\system32\en
2009-01-18 12:06 . 2009-01-18 12:06 <DIR> d-------- C:\WINDOWS\l2schemas
2009-01-17 09:18 . 2008-04-13 16:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2009-01-17 09:18 . 2008-04-13 16:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2009-01-17 09:18 . 2008-04-13 16:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2009-01-17 09:18 . 2008-04-13 16:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2009-01-17 09:18 . 2008-04-13 10:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2009-01-17 09:16 . 2008-04-13 16:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2009-01-16 11:50 . 2009-01-16 11:50 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2009-01-16 11:32 . 2009-01-16 11:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2009-01-16 11:32 . 2009-01-16 11:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2009-01-16 11:32 . 2009-01-16 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-16 11:31 . 2009-01-28 13:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2009-01-12 11:38 . 2009-01-12 11:39 <DIR> d-------- C:\Program Files\GameTap
2009-01-12 11:38 . 2009-01-12 11:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2009-01-12 11:38 . 2009-01-12 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2009-01-02 21:15 . 2009-01-02 21:15 <DIR> d-------- C:\Program Files\Setup NetZero
2008-12-29 16:43 . 2008-12-29 16:43 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-12-29 16:41 . 2008-12-29 16:41 <DIR> d-------- C:\Program Files\Real
2008-12-29 16:41 . 2007-12-20 08:10 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-12-29 16:41 . 2007-12-20 08:10 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-12-27 16:24 . 2008-12-27 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CCP
2008-12-27 16:24 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-12-27 16:16 . 2008-12-27 16:16 <DIR> d-------- C:\Program Files\CCP
2008-12-26 12:00 . 2009-01-18 12:20 <DIR> d-------- C:\Program Files\EVEMon
2008-12-26 12:00 . 2008-12-26 12:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\EVEMon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 19:42 --------- d-----w C:\Program Files\Starcraft
2009-01-18 20:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2009-01-18 20:21 --------- d-----w C:\Program Files\The Weather Channel FW
2009-01-18 20:20 --------- d-----w C:\Program Files\Cosmi
2009-01-10 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-30 00:42 --------- d-----w C:\Program Files\Common Files\Real
.

((((((((((((((((((((((((((((( snapshot@2009-01-28_14.32.31.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-19 15:43:08 1,163,960 ----a-w C:\WINDOWS\system32\aswBoot.exe
+ 2008-07-19 15:30:53 94,392 ----a-w C:\WINDOWS\system32\AvastSS.scr
+ 2008-07-19 15:32:15 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
+ 2008-07-19 15:37:42 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
+ 2008-01-17 17:34:01 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
+ 2008-07-19 15:37:21 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
+ 2008-07-19 15:33:42 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
+ 2008-07-19 15:35:18 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
+ 2008-07-19 15:32:36 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2009-01-30 04:43:31 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_55c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-29 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-06-19 50528]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-06-21 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-12-29 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Media Player.lnk - C:\Program Files\Adobe Media Player\Adobe Media Player.exe [2009-01-24 260096]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-04-29 20:58 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7qnded61.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com/?src=aim
FF -: plugin - C:\Program Files\GameTap\bin\Release\npgametaptool.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 20:50:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-29 20:53:58
ComboFix-quarantined-files.txt 2009-01-30 04:53:53
ComboFix2.txt 2009-01-29 20:41:14
ComboFix3.txt 2009-01-28 22:32:59

Pre-Run: 24,934,604,800 bytes free
Post-Run: 24,923,975,680 bytes free

146 --- E O F --- 2009-01-20 06:48:35

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-30-2008 8:49 (GMT +1)

Delete this file ->
C:\WINDOWS\system32\Le252lo3.exe

Possibly from safe mode.

Reboot, post new hijackthis and tell how things are running ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Tux_Cito4u
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-30-2008 7:19 (GMT +1)

It is running a little faster, but it still seems slower than normal.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:26 AM, on 1/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197481332468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197674781921
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6372 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 10-1-2008 6:29 (GMT +1)

Ok, then I´ll suggest you optimize XP:http://www.microsoft.com/windowsxp/using/setup/expert/northrup_restoreperf.mspx

To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
System Restore

Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Tux_Cito4u
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 10-1-2008 9:24 (GMT +1)

Thank you for all of your help, i would of never been able to fix these problems by my self. If other people have problems i will know who to recommend them to.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 10-3-2008 3:39 (GMT +1)

Please do

Since this issue appears resolved ... this Topic is closed.

If you would like it to be reopened please contact Me.

Thank you !

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Wednesday, December 03, 2008 6:59 AM (GMT +1)
There are a total of 64.512 posts in 15.910 threads.
In the last 3 days there were 19 new threads and 77 reply posts. View Active Threads