Author Topic: I have 2 trojan ADwares  (Read 5070 times)

0 Members and 1 Guest are viewing this topic.

Offline Endless336

  • Newbie
  • *
  • Posts: 4
    • View Profile
I have 2 trojan ADwares
« on: July 13, 2008, 05:27:06 PM »
I'm using windows xp, I just found 2 trojans on my computer recently. Their names are WIN32:ADWARE-gen [ADW] and the other WIN32:Trojan-gen {other}vav.exe and I can't seem to delete them no matter what I do. I'm using AVAST and spybot and I just can't delete them...I already used the system restore off before scanning and going to safe mode and still mission accomplished. I've used hijackthis before and I know I can trust this program its just the reply on forums that I hope won't take long like I did before. So here is my log. Please help me...Thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:31 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Megaupload\Mega Manager\MegaManager.exe
C:\WINDOWS\explorer.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [{c5565678-a9e5-4b2a-aa91-14247e475a85}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{626c1001-9886-8d96-6724-8550375a30c6}.dll" DllStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\Antivirus2008\Antvrs.exe
O4 - HKCU\..\Run: [VnrPack16] "C:\Program Files\VnrPack\VnrPack16.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O21 - SSODL: StatAlrt - {4dce3848-cda5-4562-99cf-cc7f23c54c52} - C:\WINDOWS\Resources\StatAlrt.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 6243 bytes

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19335
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: I have 2 trojan ADwares
« Reply #1 on: July 13, 2008, 10:40:24 PM »
Hi, Endless336.  Welcome to LandzDown Forum.

If you mean that you turned cleared System Restore when you said "I already used the system restore off", let me point out that is not a good solution when infected.  The reason is that if something goes wrong, an infected restore point is better than none at all.  It is generally possible to re-clean an infection than none at all.

Please download ATF Cleaner by Atribune from http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25 .  Save it to your Desktop.

Run ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
  • Click Exit on the Main menu to close the program.
  • Shutdown/restart the computer.
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply and a fresh HijackThis log.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Endless336

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: I have 2 trojan ADwares
« Reply #2 on: July 14, 2008, 12:49:44 AM »
Hello, thank you for the fast reply. Here is the log you requested ^_^
Malwarebytes' Anti-Malware 1.20
Database version: 948
Windows 5.1.2600 Service Pack 2

9:33:40 PM 7/14/2008
mbam-log-7-14-2008 (21-33-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 61818
Time elapsed: 18 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 22
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 18
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Resources\StatAlrt.dll (Trojan.Clicker) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{684bfe7f-f5b2-4ab3-a95e-eb5036a2d286} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{684bfe7f-f5b2-4ab3-a95e-eb5036a2d286} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{f30021e9-f833-4cea-8577-7f8c80463b34} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{10b64bdf-2e05-4a8a-b470-a3c651d0ad00} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{10b64bdf-2e05-4a8a-b470-a3c651d0ad00} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83c35173-e029-42f1-9692-0341ee379a0d} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83c35173-e029-42f1-9692-0341ee379a0d} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\banneradsgalore (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\BrowsingEnhancer (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1eb6b918-0738-507d-b503-4c7b3df7317a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1eb6b918-0738-507d-b503-4c7b3df7317a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4dce3848-cda5-4562-99cf-cc7f23c54c52} (Trojan.Clicker) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{684bfe7f-f5b2-4ab3-a95e-eb5036a2d286} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{c5565678-a9e5-4b2a-aa91-14247e475a85} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\778670 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\Application Data (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\cs\Application Data (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\cs\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\cs\Documents and Settings (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\cs\jcboy (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\cs\res5 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\cs\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\Documents and Settings (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\jcboy (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\rwyidbdr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rdbdiywr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tmmihjtp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ptjhimmt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1BE25899-3891-471E-86F6-ABDFE47790E9}\RP1\A0000014.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1BE25899-3891-471E-86F6-ABDFE47790E9}\RP1\A0004034.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1BE25899-3891-471E-86F6-ABDFE47790E9}\RP2\A0004059.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\enxw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvWqRlk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\QdrDrive16.dll (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Documents and Settings\jcboy\Application Data\ShoppingReport\cs\res5\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{626c1001-9886-8d96-6724-8550375a30c6}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{626c1001-9886-8d96-6724-8550375a30c6}.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Resources\StatAlrt.dll (Trojan.Clicker) -> Delete on reboot.
C:\Program Files\tmp0.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\tmp1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\tmp2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

It asked for it to restart my computer to delete some infected files and I did and hmm it seems like there's no more problem. So I decided to double check if there's really no more malwares. I ran hijcack again. Please check if there's no more boogie monsters hehe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:03 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1eb6b918-0738-507d-b503-4c7b3df7317a} - (no file)
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {83C35173-E029-42f1-9692-0341EE379A0D} - (no file)
O2 - BHO: (no name) - {8DFFA2ED-34DA-4FE3-83BC-841EAF37BCD6} - (no file)
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: (no name) - {E178979A-1897-400C-AED1-DE9F2B868B4E} - C:\WINDOWS\system32\fcccbBuT.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\Antivirus2008\Antvrs.exe
O4 - HKCU\..\Run: [VnrPack16] "C:\Program Files\VnrPack\VnrPack16.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: ssqQgEUK - ssqQgEUK.dll (file missing)
O21 - SSODL: StatAlrt - {4dce3848-cda5-4562-99cf-cc7f23c54c52} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 7529 bytes

there it is. thank you again

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19335
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: I have 2 trojan ADwares
« Reply #3 on: July 14, 2008, 10:06:15 AM »
Hi, Endless336. 

MBAM does a good job but based on what I see in your log, I think some additional work is needed. 

Please follow these instructions carefully: 

Download Combofix from any of the links below, and save it to your desktop.  For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

            Link 1
            Link 2
            Link 3


**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you. 
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note: Do not mouse click the combofix window while it is running. That may cause it to stall.  Run ComboFix ONLY one time.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Endless336

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: I have 2 trojan ADwares
« Reply #4 on: July 14, 2008, 10:51:50 PM »
ComboFix 08-07-14.2 - jcboy 2008-07-15 19:27:05.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.309 [GMT -7:00]
Running from: C:\Documents and Settings\jcboy\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jcboy\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mpwoejqu.ini
C:\WINDOWS\system32\TuBbcccf.ini
C:\WINDOWS\system32\TuBbcccf.ini2
C:\WINDOWS\system32\wqcyqhwt.ini

.
(((((((((((((((((((((((((   Files Created from 2008-06-16 to 2008-07-16  )))))))))))))))))))))))))))))))
.

2008-07-14 21:11 . 2008-07-14 21:11   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-07-14 21:11 . 2008-07-14 21:11   <DIR>   d--------   C:\Documents and Settings\jcboy\Application Data\Malwarebytes
2008-07-14 21:11 . 2008-07-14 21:11   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-14 21:11 . 2008-07-07 17:35   34,296   --a------   C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-14 21:11 . 2008-07-07 17:35   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-07-14 14:05 . 2008-07-14 14:05   <DIR>   d--------   C:\Program Files\Trend Micro
2008-07-13 20:21 . 2008-07-13 20:21   <DIR>   d--------   C:\bintheredunthat
2008-07-12 22:30 . 2008-07-12 22:30   <DIR>   d--------   C:\Documents and Settings\Administrator\ChikkaDefault
2008-07-12 09:45 . 2008-07-12 09:48   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Winamp
2008-07-12 09:36 . 2008-07-12 22:30   <DIR>   d--------   C:\Documents and Settings\Administrator
2008-07-11 01:10 . 2008-07-11 01:10   230   --a------   C:\WINDOWS\wininit.ini
2008-07-11 00:59 . 2008-07-11 00:59   <DIR>   d--------   C:\Documents and Settings\jcboy\ShoppingReport
2008-07-11 00:59 . 2008-07-11 00:59   <DIR>   d--------   C:\Documents and Settings\jcboy\Documents and Settings
2008-07-11 00:59 . 2008-07-11 00:59   <DIR>   d--------   C:\Documents and Settings\cs
2008-07-11 00:35 . 2008-07-11 00:35   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-07-11 00:35 . 2008-07-11 01:11   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 00:32 . 2008-07-11 00:32   <DIR>   d--------   C:\Documents and Settings\Application Data
2008-07-11 00:20 . 2008-07-11 00:20   <DIR>   d--------   C:\Documents and Settings\Documents and Settings
2008-07-11 00:06 . 2008-07-11 00:06   <DIR>   d--------   C:\Documents and Settings\jcboy\Application Data\jcboy
2008-07-11 00:06 . 2008-07-11 00:06   <DIR>   d--------   C:\Documents and Settings\jcboy\Application Data\Documents and Settings
2008-07-11 00:06 . 2008-07-11 00:06   <DIR>   d--------   C:\Documents and Settings\jcboy\Application Data\Application Data
2008-07-11 00:05 . 2008-07-11 00:05   <DIR>   d--------   C:\Documents and Settings\ShoppingReport
2008-07-11 00:05 . 2008-07-11 00:05   <DIR>   d--------   C:\Documents and Settings\jcboy\jcboy
2008-07-10 20:00 . 2008-07-10 20:00   <DIR>   d--------   C:\Documents and Settings\report
2008-07-10 19:50 . 2008-07-10 19:50   <DIR>   d--------   C:\Documents and Settings\jcboy\Application Data\report
2008-07-10 19:40 . 2008-07-10 19:40   <DIR>   d--------   C:\Documents and Settings\jcboy\Application Data\cs
2008-07-10 15:36 . 2008-07-10 15:37   <DIR>   d--------   C:\iroseonline
2008-07-10 13:34 . 2008-07-10 13:34   <DIR>   d--------   C:\ijji
2008-07-10 13:34 . 2008-07-10 14:45   <DIR>   d--h-----   C:\Documents and Settings\jcboy\Application Data\ijjigame
2008-07-10 13:32 . 2008-07-10 13:32   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\IJJIGame
2008-07-10 12:39 . 2008-07-10 12:39   94,208   --a------   C:\WINDOWS\DIIUnin.exe
2008-07-10 12:39 . 2008-07-15 10:19   25,799   --a------   C:\WINDOWS\DIIUnin.dat
2008-07-10 12:39 . 2008-07-10 12:39   2,829   --a------   C:\WINDOWS\DIIUnin.pif
2008-07-10 12:22 . 2008-07-15 10:19   <DIR>   d--------   C:\Diablo II
2008-07-10 10:57 . 2008-07-15 08:40   <DIR>   d--------   C:\Program Files\softnyx
2008-07-04 18:11 . 2008-07-04 18:34   <DIR>   d--------   C:\Program Files\Badongo
2008-07-02 06:46 . 2008-07-06 11:18   <DIR>   d--------   C:\Temporary
2008-06-30 13:19 . 2008-06-30 13:19   <DIR>   d--------   C:\Program Files\Common Files\Blizzard Entertainment
2008-06-30 11:44 . 2008-07-15 09:22   50   --a------   C:\WINDOWS\MegaManager.INI
2008-06-30 11:33 . 2008-06-30 11:33   <DIR>   d--------   C:\Documents and Settings\jcboy\Application Data\Megaupload
2008-06-30 11:32 . 2008-06-30 11:32   <DIR>   d--------   C:\Program Files\Megaupload
2008-06-27 22:42 . 2008-06-27 22:47   <DIR>   d--------   C:\Program Files\Romcenter
2008-06-26 10:54 . 2008-06-26 10:54   <DIR>   d--------   C:\Documents and Settings\jcboy\Application Data\GetRightToGo
2008-06-26 10:52 . 2008-06-26 10:53   <DIR>   d--------   C:\Program Files\ACDSee32
2008-06-26 08:50 . 2008-06-26 08:51   <DIR>   dr-------   C:\Christmas Songs
2008-06-25 20:16 . 2008-07-06 19:42   38   --a------   C:\WINDOWS\avisplitter.INI
2008-06-25 19:19 . 2008-06-25 19:19   <DIR>   d--------   C:\Program Files\DMI
2008-06-25 19:07 . 2008-06-25 19:07   <DIR>   d--------   C:\Program Files\Western Digital
2008-06-24 10:45 . 2008-06-24 10:45   <DIR>   d--------   C:\Program Files\Chikka Messenger
2008-06-24 10:45 . 2008-06-24 10:45   <DIR>   d--------   C:\logs
2008-06-24 10:45 . 2008-06-24 10:45   <DIR>   d--------   C:\Documents and Settings\jcboy\ChikkaDefault
2008-06-22 16:26 . 2008-07-10 19:06   <DIR>   d--------   C:\Diablo Expansion
2008-06-21 23:54 . 2008-06-21 23:54   <DIR>   d--------   C:\Documents and Settings\jcboy\Application Data\Datel
2008-06-21 23:50 . 2008-06-21 23:50   <DIR>   d--------   C:\Program Files\Datel
2008-06-19 14:37 . 2007-09-18 16:34   512,000   --a------   C:\WINDOWS\system32\MP4Splitter.ax
2008-06-19 14:37 . 2006-03-11 04:56   438,272   --a------   C:\WINDOWS\system32\Mpeg2DecFilter.ax
2008-06-19 14:37 . 2005-11-25 21:46   421,888   --a------   C:\WINDOWS\system32\RealMediaSplitter.ax
2008-06-19 14:37 . 2004-01-11 15:47   327,680   --a------   C:\WINDOWS\system32\MatroskaSplitter.ax
2008-06-19 14:37 . 2005-11-25 23:13   266,240   --a------   C:\WINDOWS\system32\cddareader.ax
2008-06-19 14:37 . 2006-11-06 15:30   262,144   --a------   C:\WINDOWS\system32\lame_enc.dll
2008-06-19 14:37 . 2005-05-16 16:27   53,248   --a------   C:\WINDOWS\system32\AloFrame.ocx
2008-06-19 14:36 . 2004-03-09 00:00   224,016   --a------   C:\WINDOWS\system32\tabctl32.ocx
2008-06-19 14:36 . 2004-03-09 16:45   152,848   --a------   C:\WINDOWS\system32\Comdlg32.ocx
2008-06-19 14:36 . 2005-06-21 17:48   1   --a------   C:\WINDOWS\zitploi.dll
2008-06-19 14:18 . 2008-06-19 14:18   <DIR>   d--------   C:\Program Files\Witcobber

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 00:16   ---------   d-----w   C:\Program Files\FlashGet
2008-07-15 04:33   ---------   d-----w   C:\Documents and Settings\jcboy\Application Data\MegauploadToolbar
2008-07-10 20:48   ---------   d-----w   C:\Documents and Settings\jcboy\Application Data\uTorrent
2008-07-09 00:02   ---------   d-----w   C:\Program Files\Warcraft III
2008-07-08 23:42   ---------   d-----w   C:\Program Files\Garena
2008-07-08 17:24   ---------   d-----w   C:\Documents and Settings\jcboy\Application Data\LimeWire
2008-07-07 04:03   ---------   d-----w   C:\Documents and Settings\jcboy\Application Data\mIRC
2008-07-07 03:51   ---------   d-----w   C:\Program Files\mIRC
2008-06-30 18:32   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 04:42   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 04:42   ---------   d-----w   C:\Program Files\AoA DVD Creator
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 22:34   2,829   ----a-w   C:\WINDOWS\War3Unin.pif
2008-06-10 22:34   139,264   ----a-w   C:\WINDOWS\War3Unin.exe
2008-06-10 20:21   ---------   d-----w   C:\Documents and Settings\jcboy\Application Data\InstallShield
2008-06-10 20:12   ---------   d-----w   C:\Program Files\DAEMON Tools Pro
2008-06-10 20:12   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-06-10 20:11   ---------   d-----w   C:\Documents and Settings\jcboy\Application Data\DAEMON Tools Pro
2008-06-10 20:06   716,272   ----a-w   C:\WINDOWS\system32\drivers\sptd.sys
2008-06-10 10:06   ---------   d-----w   C:\Program Files\MSXML 4.0
2008-06-09 22:24   ---------   d-----w   C:\Program Files\Common Files\INCA Shared
2008-06-09 21:40   ---------   d-----w   C:\Program Files\uTorrent
2008-06-09 06:39   ---------   d-----w   C:\Program Files\Smart Projects
2008-06-09 05:50   ---------   d-----w   C:\Program Files\NeroInstall.bak
2008-06-09 05:48   ---------   d-----w   C:\Documents and Settings\jcboy\Application Data\Nero
2008-06-09 05:46   ---------   d-----w   C:\Program Files\Common Files\Nero
2008-06-09 05:40   ---------   d-----w   C:\Program Files\Nero
2008-06-09 05:40   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Nero
2008-06-09 05:38   ---------   d-----w   C:\Documents and Settings\jcboy\Application Data\Creative
2008-05-28 13:30   ---------   d-----w   C:\Program Files\Microsoft Reader
2008-05-23 06:44   ---------   d-----w   C:\Program Files\CDisplay
2008-05-19 10:19   ---------   d-----w   C:\Documents and Settings\jcboy\Application Data\AdobeUM
2008-05-19 10:18   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-05-18 16:39   ---------   d-----w   C:\Documents and Settings\jcboy\Application Data\Azureus
2008-05-16 18:35   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Azureus
2008-05-16 17:54   ---------   d-----w   C:\Program Files\Java
2008-05-16 17:47   ---------   d-----w   C:\Program Files\Common Files\Java
2008-05-16 01:55   16,368   ----a-w   C:\Documents and Settings\jcboy\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 01:54   ---------   d-----w   C:\Program Files\Microsoft ActiveSync
2008-05-07 05:18   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04   659,456   ----a-w   C:\WINDOWS\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" [2003-08-12 13:48 131072]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2008-01-15 07:17 277960]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00 45056]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"CTHelper"="CTHELPER.EXE" [2004-03-19 01:33 24576 C:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Garena\\Garena.exe"=
"C:\\Documents and Settings\\jcboy\\My Documents\\CabalRider_PH\\cfg\\res\\npc.res"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Downloads\\cabalbot.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=

R0 inic1622;inic1622;C:\WINDOWS\system32\DRIVERS\dmi1622.sys [2004-12-24 12:35]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
S3 dump_wmimmc;dump_wmimmc;c:\ijji\ENGLISH\Gunbound Revolution\GameGuard\dump_wmimmc.sys []
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 14:05]
S3 NTProcDrv;Process creation detector for NT.;C:\Downloads\NtProcDrv.sys [2005-02-23 15:08]

.
- - - - ORPHANS REMOVED - - - -

BHO-{1eb6b918-0738-507d-b503-4c7b3df7317a} - (no file)
BHO-{83C35173-E029-42f1-9692-0341EE379A0D} - (no file)
BHO-{8DFFA2ED-34DA-4FE3-83BC-841EAF37BCD6} - (no file)
BHO-{E178979A-1897-400C-AED1-DE9F2B868B4E} - C:\WINDOWS\system32\fcccbBuT.dll
SSODL-StatAlrt-{4dce3848-cda5-4562-99cf-cc7f23c54c52} - (no file)
Notify-ssqQgEUK - ssqQgEUK.dll
Notify-WgaLogon - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 19:33:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-15 19:41:08 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-16 02:40:52

Pre-Run: 11,833,737,216 bytes free
Post-Run: 11,775,782,912 bytes free

213   --- E O F ---   2008-07-10 14:41:19


Thats the end of combofix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:49 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 7227 bytes

Thank you I really appreciate the help ^_^

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19335
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: I have 2 trojan ADwares
« Reply #5 on: July 15, 2008, 12:47:24 AM »
Hi, Endless336.  Thanks for those logs.  I am not a gamer and am unfamiliar with some of the items shown.  One of the primary research sites is having server issues.  As a result, it is exceedingly slow researching some of the items in our log.  To be sure I don't miss anything, l would like to see what an online scan shows. 

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        • Scan Mail Bases[/color][/b]
    • Click OK & have it scan My Computer
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
    * Turn off the real time scanner of any existing antivirus program while performing the online scan *

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.[/color]

    =====================

    Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    =====================

    Logs Required[/color]
    Kaspersky Scan Log
    Hijackthis Log


    Thanks.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Endless336

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: I have 2 trojan ADwares
« Reply #6 on: July 16, 2008, 10:49:59 AM »
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Thursday, July 17, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Tuesday, July 15, 2008 16:05:05
 Records in database: 956227
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - Folder:
   C:\

Scan statistics:
   Files scanned: 30410
   Threat name: 2
   Infected objects: 2
   Suspicious objects: 0
   Duration of the scan: 01:44:46


File name / Threat name / Threats count
C:\limewire downloads\chojin sentai jetman.mp3   Infected: Trojan-Downloader.WMA.Wimad.n   1
C:\Program Files\mIRC\mirc.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   1

The selected area was scanned.

After seeing I have a threat in my limewire folder I deleted it quickly. And here is my hijack log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:57 AM, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Chikka Messenger\Chikka v.4\ChikkaLauncher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: ssqQgEUK - C:\WINDOWS\
O21 - SSODL: StatAlrt - {4dce3848-cda5-4562-99cf-cc7f23c54c52} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 7572 bytes

Thank you for the help, hehe I feel like I just learned a whole lot this week. Thank you ^_^

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19335
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: I have 2 trojan ADwares
« Reply #7 on: July 17, 2008, 10:45:15 PM »
Hi, Endless336.  Let's do some important cleanup.

Close all programs leaving only HijackThis running.  Place a check against each of the following, making sure you get them all and not
any others by mistake:

O20 - Winlogon Notify: ssqQgEUK - C:\WINDOWS\
O21 - SSODL: StatAlrt - {4dce3848-cda5-4562-99cf-cc7f23c54c52} - (no file)


Click on Fix Checked when finished and exit HijackThis.

Next, please do the following
  • Click START then RUN
  • Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.


Finally, to restore the blue Avast (system tray) icon, please do a "Repair" of the Avast installation:

Go to Control Panel -> Add/Remove Programs -> avast! Anti-Virus -> Change/Remove ->
On the next screen, scroll down and select Repair -> Click Next and follow the prompts -> Reboot.

After rebooting, place your cursor over the blue Avast icon (near the clock).  It should indicate how many providers are installed and how many are running.  Right-clicking on that icon will give you access to many more functions/information, including stopping the resident (on-access) protection for the service pack update installation.

Please let us know if you have any questions.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.