Trojans failed to disinfect?

Got a virus? Need to know about removing spyware?. Or how to make your PC Secure? Ask in here.



xxxxmoogle
New FixmyXP Member
New FixmyXP Member
Posts: 9
Joined: Fri Apr 04, 2008 2:14 am

Trojans failed to disinfect?

Post by xxxxmoogle » Sat Apr 05, 2008 8:37 am

The following were failed to disinfect in Comodo AntiVirus:

Trojan.Win32.Inject.wn
Trojan-Downloader.Win32.INService.gen
not-a-virus:AdWare.Win32.Softomate.u
not-a-virus:AdWare.Win32.EZula.u
Trojan-Downloader.Win32.Small.cws
UnKnown
Trojan-Dropper.Win32.Agent.mu
Trojan-Downloader.Win32.IstBar.pb


Would there be any other way to have them deleted?

User avatar
Squeezebox
Administrator
Administrator
Posts: 1647
Joined: Sat Sep 24, 2005 9:51 pm
Location: UK

Re: Trojans failed to disinfect?

Post by Squeezebox » Sat Apr 05, 2008 9:55 am

I'm not familiar with Comodo, but are these trojans being detected in a System Restore point? Try turning off System Restore, then reboot and turn it back on again.

Alternatively, try scanning with Comodo in Safe Mode.
Image

User avatar
Essexboy
Administrator
Administrator
Posts: 903
Joined: Wed Sep 14, 2005 11:20 am
Location: Helston - Cornwall
Contact:

Re: Trojans failed to disinfect?

Post by Essexboy » Sun Apr 06, 2008 1:42 pm

Or failing that I can remove them  :tiphat:

Download & Run HijackThis.exe
  • Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
VISTA
XPsp2
Avast (of course)
Image


http://spaces.msn.com/members/essexboymkn/

If ignorance is bliss  why aren't more people happy?

xxxxmoogle
New FixmyXP Member
New FixmyXP Member
Posts: 9
Joined: Fri Apr 04, 2008 2:14 am

Re: Trojans failed to disinfect?

Post by xxxxmoogle » Thu Apr 10, 2008 1:57 am

Also...my taskbar is being a bit odd...It only shows the quicklaunch toolbar on it but no windows,
and I have to navigate by pressing Alt+Tab instead.

And the Security Center would pop up and say "There is no firewall detected" and when I would click to change it, it's already on.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:12 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MOOGLE\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://*.asiafinest.com
O15 - Trusted Zone: http://*.glitter-graphics.net
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c46.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9615377250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9AAF2361-DA02-43C4-AD5A-BCE5B363DC0D} (Register Class) - http://web.spaceillusion.com/help/WebRegister1013.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BCA9A936-F557-408E-8301-D5B2B302EFD6} (SiUpdaterCtrl Class) - http://web.spaceillusion.com/help/iDanceUpdater1020.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D69969D6-C2CB-42EE-9651-E8B6663E88A5} (myBeatMDCTL Class) - http://web.spaceillusion.com/help/myBeatMD1159.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{234BFBB6-07BD-48AF-92E0-800FCBFB33D2}: NameServer = 209.244.0.3 209.244.0.4
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: haofjbmj.dll 
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O21 - SSODL: System - {61CBBCF4-B817-4A29-B74A-26F08810FD24} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8069 bytes


(By the way PeoplePC is my ISP)

User avatar
Kabith
Rising Star
Rising Star
Posts: 107
Joined: Thu Nov 22, 2007 12:46 pm
Location: Bangalore

Re: Trojans failed to disinfect?

Post by Kabith » Thu Apr 10, 2008 6:00 am

EDIT:  I removed your comments Kabith, it's best not to offer any advice when Essexboy is on the case. (Even I don't 'interfere' while he's still at the analysis stages).
Last edited by Squeezebox on Thu Apr 10, 2008 3:09 pm, edited 1 time in total.
Image

User avatar
Essexboy
Administrator
Administrator
Posts: 903
Joined: Wed Sep 14, 2005 11:20 am
Location: Helston - Cornwall
Contact:

Re: Trojans failed to disinfect?

Post by Essexboy » Thu Apr 10, 2008 7:53 pm

OK then lets go kill it

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c46.cab
O16 - DPF: {9AAF2361-DA02-43C4-AD5A-BCE5B363DC0D} (Register Class) - http://web.spaceillusion.com/help/WebRegister1013.cab
O16 - DPF: {BCA9A936-F557-408E-8301-D5B2B302EFD6} (SiUpdaterCtrl Class) - http://web.spaceillusion.com/help/iDanceUpdater1020.cab
O16 - DPF: {D69969D6-C2CB-42EE-9651-E8B6663E88A5} (myBeatMDCTL Class) - http://web.spaceillusion.com/help/myBeatMD1159.cab
O20 - AppInit_DLLs: haofjbmj.dll   
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O21 - SSODL: System - {61CBBCF4-B817-4A29-B74A-26F08810FD24} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.   


NEXT

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: Select all

C:\WINDOWS\SYSTEM32\monln.dll
C:\WINDOWS\SYSTEM32\haofjbmj.dll  
Purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you. 
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : OTMoveit and Combofix
Last edited by Essexboy on Thu Apr 10, 2008 7:56 pm, edited 1 time in total.
VISTA
XPsp2
Avast (of course)
Image


http://spaces.msn.com/members/essexboymkn/

If ignorance is bliss  why aren't more people happy?

xxxxmoogle
New FixmyXP Member
New FixmyXP Member
Posts: 9
Joined: Fri Apr 04, 2008 2:14 am

Re: Trojans failed to disinfect?

Post by xxxxmoogle » Thu Apr 10, 2008 10:36 pm

Thank you very much for the help.  :ylaugh:

Here is the OTMoveIt2 log:

DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\monln.dll
C:\WINDOWS\SYSTEM32\monln.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\monln.dll moved successfully.
File/Folder C:\WINDOWS\SYSTEM32\haofjbmj.dll not found.

C:\WINDOWS\?dobe moved successfully.
C:\WINDOWS\F?nts moved successfully.
C:\WINDOWS\?icrosoft moved successfully.
C:\WINDOWS\system32\?ppPatch moved successfully.
C:\WINDOWS\system32\??crosoft moved successfully.
C:\WINDOWS\system32\?ecurity moved successfully.
C:\WINDOWS\system32\??mantec moved successfully.
C:\WINDOWS\system32\??mbols moved successfully.
C:\WINDOWS\system32\?asks moved successfully.
C:\WINDOWS\system32\?asks moved successfully.
C:\WINDOWS\system32\W?nSxS moved successfully.
C:\Program Files\??sembly moved successfully.
C:\Program Files\F?nts moved successfully.
C:\Program Files\??mantec moved successfully.
C:\Program Files\?ystem moved successfully.
C:\Program Files\Common Files\S?mantec moved successfully.
C:\Documents and Settings\MOOGLE\My Documents\?dobe\New Folder (2) moved successfully.
C:\Documents and Settings\MOOGLE\My Documents\?dobe\Brushes moved successfully.
C:\Documents and Settings\MOOGLE\My Documents\?dobe moved successfully.
C:\Documents and Settings\MOOGLE\Application Data\??pPatch moved successfully.
C:\Documents and Settings\MOOGLE\Application Data\?ecurity moved successfully.
C:\Documents and Settings\MOOGLE\Application Data\??curity moved successfully.
C:\Documents and Settings\MOOGLE\Application Data\??stem moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04102008_173339

ComboFix Log:

ComboFix 08-04-10.4 - MOOGLE 2008-04-10 18:13:30.2 - NTFSx86
Running from: C:\Documents and Settings\MOOGLE\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\MOOGLE\Application Data\macromedia\Flash Player\#SharedObjects\C2WTK59M\www.broadcaster.com
C:\Documents and Settings\MOOGLE\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\MOOGLE\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\cmsystem
C:\Program Files\cmsystem\cmappupdate.exe
C:\Program Files\cmsystem\sf.txt
C:\Program Files\cmsystem\Uninstall.exe
C:\Program Files\Helper
C:\Program Files\Helper\1206401299.dll
C:\Program Files\winupdates
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
C:\WINDOWS\pf78.exe
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tpuninstall.exe
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\wtsisu.exe
C:\WINDOWS\system32\wtssvsu.exe

.
(((((((((((((((((((((((((((((((((((((((  Drivers/Services  )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_NwSapAgent
-------\Service_Windows Overlay Components


(((((((((((((((((((((((((  Files Created from 2008-03-10 to 2008-04-10  )))))))))))))))))))))))))))))))
.

2008-04-10 18:04 . 2008-04-10 18:26 0 --a------ C:\WINDOWS\system.ini
2008-04-10 17:33 . 2008-04-10 17:33 d-------- C:\_OTMoveIt
2008-04-10 14:34 . 2008-04-10 14:34 11,776 --a------ C:\Resume.wps
2008-04-10 12:31 . 2008-04-10 12:31 d-------- C:\Documents and Settings\Phoukham\Application Data\Template
2008-04-09 22:04 . 2008-04-09 22:04 d-------- C:\d808d1b0862c2ba06d
2008-04-08 15:50 . 2008-04-08 15:50 512 --a------ C:\sek
2008-04-08 02:50 . 2008-04-10 18:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-08 02:50 . 2008-04-08 02:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-08 02:45 . 2008-04-08 02:45 d-------- C:\Program Files\iPod
2008-04-08 02:39 . 2008-04-08 02:40 d-------- C:\Program Files\QuickTime
2008-04-04 23:11 . 2008-04-04 23:11 d-------- C:\Documents and Settings\Sam Supanhnapom\Application Data\Lavasoft
2008-03-31 20:02 . 2008-03-31 21:29 d-------- C:\Documents and Settings\MOOGLE\.SunDownloadManager
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 18:27 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-25 18:27 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-25 18:27 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-25 18:27 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-25 18:27 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-25 18:27 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-25 18:27 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-25 18:03 . 2008-03-25 18:03 d-------- C:\Autoruns
2008-03-25 16:49 . 2008-03-25 16:49 276,316 --a------ C:\Pass2.cmd
2008-03-24 22:08 . 2008-03-25 18:36 1,828 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 22:05 . 2008-03-24 22:09 d-------- C:\Documents and Settings\MOOGLE\SmitfraudFix
2008-03-24 21:39 . 2008-03-24 21:39 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-03-24 21:39 . 2008-03-24 21:36 102,400 --a------ C:\WINDOWS\system32\drivers\cavasm.sys
2008-03-24 21:39 . 2008-03-24 21:36 73,728 --a------ C:\WINDOWS\system32\CavEmLSP.dll
2008-03-24 21:38 . 2008-03-24 21:37 434,252 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2008-03-20 23:56 . 2008-03-20 23:56 d-------- C:\Documents and Settings\MOOGLE\Application Data\Uniblue
2008-03-20 16:12 . 2008-03-24 22:00 d-------- C:\Program Files\Uniblue
2008-03-20 16:00 . 2008-03-24 21:39 d-------- C:\Program Files\comodo
2008-03-20 15:43 . 2008-03-20 15:43 d-------- C:\Program Files\Zamaan's Software
2008-03-20 15:43 . 1998-06-24 13:00 244,024 --a------ C:\WINDOWS\system32\MSFLXGRD.OCX
2008-03-20 15:43 . 2000-05-22 17:00 203,976 --a------ C:\WINDOWS\system32\richtx32.ocx
2008-03-20 15:43 . 2004-03-09 13:00 132,880 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-20 15:39 . 2008-03-20 15:39 d-------- C:\Documents and Settings\MOOGLE\Application Data\WinPatrol
2008-03-20 15:37 . 2008-03-20 15:37 d-------- C:\Program Files\BillP Studios
2008-03-20 15:36 . 2008-03-20 16:06 d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-20 15:35 . 2008-03-20 15:35 d-------- C:\Program Files\Windows Live
2008-03-20 15:35 . 2008-03-20 16:07 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-20 11:34 . 2007-10-27 23:46 2,400,784 --a------ C:\WLinstaller.exe
2008-03-16 14:20 . 2008-04-04 23:17 d-------- C:\Documents and Settings\Sam Supanhnapom\Application Data\Apple Computer
2008-03-13 12:24 . 2008-03-13 12:24 d-------- C:\Program Files\Clickincome Inc
2008-03-12 22:57 . 2008-03-25 15:45 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-12 22:54 . 2008-03-12 22:54 d-------- C:\Program Files\KeePass Password Safe
2008-03-11 16:21 . 2008-03-11 16:21 d-------- C:\Program Files\Bonjour
2008-03-10 17:33 . 2008-03-10 17:33 d-------- C:\Program Files\Smart Projects

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 07:45 --------- d-----w C:\Program Files\iTunes
2008-04-08 06:16 --------- d-----w C:\Program Files\PeoplePC
2008-04-05 01:05 --------- d-----w C:\Program Files\CompuServe 7.0
2008-04-04 02:01 --------- d-----w C:\Program Files\YourSiteBar
2008-03-25 19:07 --------- d-----w C:\Program Files\ewido anti-malware
2008-03-25 18:36 --------- d-----w C:\Program Files\Lavasoft
2008-03-25 02:37 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-25 02:37 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-25 02:37 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.DLL
2008-03-22 06:05 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-03-20 20:43 13,312 --s-a-w C:\WINDOWS\system32\lvhjtsa.dll
2008-03-19 05:30 --------- d-----w C:\Program Files\MSN Messenger
2008-03-19 05:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-11 21:21 --------- d-----w C:\Program Files\MySpace
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 01:36 --------- d-----w C:\Program Files\PeoplePC Accelerate
2008-02-28 01:35 --------- d-----w C:\Documents and Settings\MOOGLE\Application Data\PeoplePC Online
2008-02-21 02:45 --------- d-----w C:\Program Files\AIM6
2008-02-21 02:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-21 02:40 --------- d-----w C:\Program Files\Viewpoint
2008-02-21 02:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-21 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-11 00:59 --------- d-----w C:\Documents and Settings\MOOGLE\Application Data\GetRight
2008-02-10 16:35 --------- d-----w C:\Documents and Settings\Sam Supanhnapom\Application Data\MSN6
2008-01-29 17:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-02-01 23:11 582 ----a-w C:\Program Files\readme.txt
2007-02-01 23:02 313,344 ----a-w C:\Program Files\hjsplit.exe
2006-04-16 01:47 81 -c--a-w C:\Program Files\MDMaker2_en.xml_.md5
2006-04-15 23:10 81 -c--a-w C:\Program Files\MDMaker2_en.xml.md5
2006-04-15 23:10 217 -c--a-w C:\Program Files\MDMaker2_en.xml
2006-04-15 22:33 88 -c--a-w C:\Program Files\GayoList_MyDancer.xml.md5
2006-04-15 22:33 126 -c--a-w C:\Program Files\GayoList_MyDancer.xml
2005-07-21 08:02 280,064 ----a-w C:\Documents and Settings\MOOGLE\Application Data\tizhook.bin
2005-07-21 08:02 137,947 ----a-w C:\Documents and Settings\MOOGLE\Application Data\tizupd.bin
2005-07-14 17:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 20:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2005-07-28 05:13 56 -csh--r C:\WINDOWS\system32\F036A267D9.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2005-07-28 05:13 5,852 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-02-28 18:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 14:41 68856]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-08-09 18:20 67128]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lao Keyboard Mapping.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lao Keyboard Mapping.lnk
backup=C:\WINDOWS\pss\Lao Keyboard Mapping.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader40pd1aKeOaPN]
C:\WINDOWS\system32\slecconf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
--a------ 2003-09-03 17:25 73728 C:\WINDOWS\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-03-04 09:29 782336 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Paltalk\\paltalk.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\aim\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\comodo\\Comodo AntiVirus\\CMain.exe"=
"C:\\Program Files\\AC3Filter\\ac3config.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14253:TCP"= 14253:TCP:*:Disabled:BitComet 14253 TCP
"14253:UDP"= 14253:UDP:*:Disabled:BitComet 14253 UDP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
TermService
wuauserv
BITS
ShellHWDetection
helpsvc
xmlprov
wscsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 23:23:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-05 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-04-10 20:15:19 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-04-10 01:45:43 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D6DF32E0-270D-4B30-B048-5BA11D674BAF}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2007-09-15 07:53:29 C:\WINDOWS\Tasks\Windows Media Player.job"
- C:\PROGRA~1\WINDOW~2\wmplayer.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 18:26:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 18:34:20
ComboFix-quarantined-files.txt  2008-04-10 23:33:49
Pre-Run: 35,298,697,216 bytes free
Post-Run: 35,277,099,008 bytes free
.
2008-04-10 20:10:37 --- E O F --- 
Last edited by xxxxmoogle on Thu Apr 10, 2008 11:38 pm, edited 1 time in total.

User avatar
Essexboy
Administrator
Administrator
Posts: 903
Joined: Wed Sep 14, 2005 11:20 am
Location: Helston - Cornwall
Contact:

Re: Trojans failed to disinfect?

Post by Essexboy » Fri Apr 11, 2008 5:10 pm

How is it running now ?

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: Select all

File::
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\lvhjtsa.dll
C:\WINDOWS\system32\slecconf.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader40pd1aKeOaPN]
3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
VISTA
XPsp2
Avast (of course)
Image


http://spaces.msn.com/members/essexboymkn/

If ignorance is bliss  why aren't more people happy?

xxxxmoogle
New FixmyXP Member
New FixmyXP Member
Posts: 9
Joined: Fri Apr 04, 2008 2:14 am

Re: Trojans failed to disinfect?

Post by xxxxmoogle » Sat Apr 12, 2008 1:48 am

So far, it's the same I guess.
But I'm sure with the help you've given me
it's going to be better, Thank you very much. :D


Oh I think I sort of recognized one of those files, the program
VirusHeat and NetProject were infesting my computer last month...
I don't think I completely deleted them...
But for some reason, everytime I log onto the computer, Something will always pop up and tell me that my Firewall has been turned off and I have no idea what is turning it off...

ComboFix 08-04-10.4 - MOOGLE 2008-04-11 21:13:59.3 - NTFSx86
Running from: C:\Documents and Settings\MOOGLE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MOOGLE\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\lvhjtsa.dll
C:\WINDOWS\system32\slecconf.exe
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\lvhjtsa.dll

.
(((((((((((((((((((((((((  Files Created from 2008-03-12 to 2008-04-12  )))))))))))))))))))))))))))))))
.

2008-04-11 21:14 . 2008-04-11 21:14 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-04-10 18:04 . 2008-04-10 18:26 0 --a------ C:\WINDOWS\system.ini
2008-04-10 17:33 . 2008-04-10 17:33 d-------- C:\_OTMoveIt
2008-04-10 14:34 . 2008-04-10 14:34 11,776 --a------ C:\Resume.wps
2008-04-10 12:31 . 2008-04-10 12:31 d-------- C:\Documents and Settings\Phoukham\Application Data\Template
2008-04-09 22:04 . 2008-04-09 22:04 d-------- C:\d808d1b0862c2ba06d
2008-04-08 15:50 . 2008-04-08 15:50 512 --a------ C:\sek
2008-04-08 02:50 . 2008-04-11 20:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-08 02:50 . 2008-04-08 02:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-08 02:45 . 2008-04-08 02:45 d-------- C:\Program Files\iPod
2008-04-08 02:39 . 2008-04-08 02:40 d-------- C:\Program Files\QuickTime
2008-04-04 23:11 . 2008-04-04 23:11 d-------- C:\Documents and Settings\Sam Supanhnapom\Application Data\Lavasoft
2008-03-31 20:02 . 2008-03-31 21:29 d-------- C:\Documents and Settings\MOOGLE\.SunDownloadManager
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 18:27 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-25 18:27 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-25 18:27 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-25 18:27 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-25 18:27 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-25 18:27 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-25 18:27 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-25 18:03 . 2008-03-25 18:03 d-------- C:\Autoruns
2008-03-25 16:49 . 2008-03-25 16:49 276,316 --a------ C:\Pass2.cmd
2008-03-24 22:08 . 2008-03-25 18:36 1,828 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 22:05 . 2008-03-24 22:09 d-------- C:\Documents and Settings\MOOGLE\SmitfraudFix
2008-03-24 21:39 . 2008-03-24 21:39 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-03-24 21:39 . 2008-03-24 21:36 102,400 --a------ C:\WINDOWS\system32\drivers\cavasm.sys
2008-03-24 21:39 . 2008-03-24 21:36 73,728 --a------ C:\WINDOWS\system32\CavEmLSP.dll
2008-03-24 21:38 . 2008-03-24 21:37 434,252 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2008-03-20 23:56 . 2008-03-20 23:56 d-------- C:\Documents and Settings\MOOGLE\Application Data\Uniblue
2008-03-20 16:12 . 2008-03-24 22:00 d-------- C:\Program Files\Uniblue
2008-03-20 16:00 . 2008-03-24 21:39 d-------- C:\Program Files\comodo
2008-03-20 15:43 . 2008-03-20 15:43 d-------- C:\Program Files\Zamaan's Software
2008-03-20 15:43 . 1998-06-24 13:00 244,024 --a------ C:\WINDOWS\system32\MSFLXGRD.OCX
2008-03-20 15:43 . 2000-05-22 17:00 203,976 --a------ C:\WINDOWS\system32\richtx32.ocx
2008-03-20 15:43 . 2004-03-09 13:00 132,880 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-20 15:39 . 2008-03-20 15:39 d-------- C:\Documents and Settings\MOOGLE\Application Data\WinPatrol
2008-03-20 15:37 . 2008-03-20 15:37 d-------- C:\Program Files\BillP Studios
2008-03-20 15:36 . 2008-03-20 16:06 d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-20 15:35 . 2008-03-20 15:35 d-------- C:\Program Files\Windows Live
2008-03-20 15:35 . 2008-03-20 16:07 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-20 11:34 . 2007-10-27 23:46 2,400,784 --a------ C:\WLinstaller.exe
2008-03-16 14:20 . 2008-04-04 23:17 d-------- C:\Documents and Settings\Sam Supanhnapom\Application Data\Apple Computer
2008-03-13 12:24 . 2008-03-13 12:24 d-------- C:\Program Files\Clickincome Inc
2008-03-12 22:57 . 2008-03-25 15:45 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-12 22:54 . 2008-03-12 22:54 d-------- C:\Program Files\KeePass Password Safe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 07:45 --------- d-----w C:\Program Files\iTunes
2008-04-08 06:16 --------- d-----w C:\Program Files\PeoplePC
2008-04-05 01:05 --------- d-----w C:\Program Files\CompuServe 7.0
2008-04-04 02:01 --------- d-----w C:\Program Files\YourSiteBar
2008-03-25 19:07 --------- d-----w C:\Program Files\ewido anti-malware
2008-03-25 18:36 --------- d-----w C:\Program Files\Lavasoft
2008-03-25 02:37 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-25 02:37 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-25 02:37 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.DLL
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 05:30 --------- d-----w C:\Program Files\MSN Messenger
2008-03-19 05:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-11 21:21 --------- d-----w C:\Program Files\MySpace
2008-03-11 21:21 --------- d-----w C:\Program Files\Bonjour
2008-03-10 22:33 --------- d-----w C:\Program Files\Smart Projects
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 01:36 --------- d-----w C:\Program Files\PeoplePC Accelerate
2008-02-28 01:35 --------- d-----w C:\Documents and Settings\MOOGLE\Application Data\PeoplePC Online
2008-02-21 02:45 --------- d-----w C:\Program Files\AIM6
2008-02-21 02:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-21 02:40 --------- d-----w C:\Program Files\Viewpoint
2008-02-21 02:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-21 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-29 17:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-02-01 23:11 582 ----a-w C:\Program Files\readme.txt
2007-02-01 23:02 313,344 ----a-w C:\Program Files\hjsplit.exe
2006-04-16 01:47 81 -c--a-w C:\Program Files\MDMaker2_en.xml_.md5
2006-04-15 23:10 81 -c--a-w C:\Program Files\MDMaker2_en.xml.md5
2006-04-15 23:10 217 -c--a-w C:\Program Files\MDMaker2_en.xml
2006-04-15 22:33 88 -c--a-w C:\Program Files\GayoList_MyDancer.xml.md5
2006-04-15 22:33 126 -c--a-w C:\Program Files\GayoList_MyDancer.xml
2005-07-21 08:02 280,064 ----a-w C:\Documents and Settings\MOOGLE\Application Data\tizhook.bin
2005-07-21 08:02 137,947 ----a-w C:\Documents and Settings\MOOGLE\Application Data\tizupd.bin
2005-07-14 17:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 20:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2005-07-28 05:13 56 -csh--r C:\WINDOWS\system32\F036A267D9.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2005-07-28 05:13 5,852 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-02-28 18:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
.

------- Sigcheck -------

2003-03-31 07:00  12800  0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 02:56  14336  8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 02:56  14336  8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
.
(((((((((((((((((((((((((((((  snapshot@2008-04-10_18.33.15.26  )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-19 09:40:27 1,845,888 ----a-w C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\updspapi.dll
+ 2008-02-20 06:52:43 282,624 ----a-w C:\WINDOWS\$hf_mig$\KB948590\SP2QFE\gdi32.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\updspapi.dll
- 2007-06-19 13:31:19 282,112 -c----w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c----w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-03-08 13:47:48 1,843,584 -c----w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 -c----w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-06-22 05:08:40 415,856 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-12 01:56:36 415,856 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 14:41 68856]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-08-09 18:20 67128]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lao Keyboard Mapping.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lao Keyboard Mapping.lnk
backup=C:\WINDOWS\pss\Lao Keyboard Mapping.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
--a------ 2003-09-03 17:25 73728 C:\WINDOWS\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-03-04 09:29 782336 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Paltalk\\paltalk.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\aim\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\comodo\\Comodo AntiVirus\\CMain.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AC3Filter\\ac3config.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14253:TCP"= 14253:TCP:*:Disabled:BitComet 14253 TCP
"14253:UDP"= 14253:UDP:*:Disabled:BitComet 14253 UDP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
TermService
wuauserv
BITS
ShellHWDetection
helpsvc
xmlprov
wscsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 23:23:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-05 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-04-11 04:16:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-04-11 04:21:11 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D6DF32E0-270D-4B30-B048-5BA11D674BAF}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2007-09-15 07:53:29 C:\WINDOWS\Tasks\Windows Media Player.job"
- C:\PROGRA~1\WINDOW~2\wmplayer.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 21:25:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-11 21:27:37
ComboFix-quarantined-files.txt  2008-04-12 02:27:17
ComboFix2.txt  2008-04-10 23:34:21
Pre-Run: 36,249,337,856 bytes free
Post-Run: 36,226,281,472 bytes free
.
2008-04-12 01:49:52 --- E O F --- 
Last edited by xxxxmoogle on Sat Apr 12, 2008 3:00 am, edited 1 time in total.

xxxxmoogle
New FixmyXP Member
New FixmyXP Member
Posts: 9
Joined: Fri Apr 04, 2008 2:14 am

Re: Trojans failed to disinfect?

Post by xxxxmoogle » Sat Apr 12, 2008 3:01 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:03 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Documents and Settings\MOOGLE\Desktop\HiJackThis.exe
C:\Documents and Settings\MOOGLE\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://*.asiafinest.com
O15 - Trusted Zone: http://*.glitter-graphics.net
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9615377250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{234BFBB6-07BD-48AF-92E0-800FCBFB33D2}: NameServer = 209.244.0.3 209.244.0.4
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6388 bytes

User avatar
Essexboy
Administrator
Administrator
Posts: 903
Joined: Wed Sep 14, 2005 11:20 am
Location: Helston - Cornwall
Contact:

Re: Trojans failed to disinfect?

Post by Essexboy » Sat Apr 12, 2008 10:31 am

Looks good now - we are getting there  :ura1:

First I will sweep for orphan registry entries and then I will reset your shell

Please download Malwarebytes' Anti-Malware from Here or [url=http://"http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html"]Here[/url]

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

NEXT

Download fixshell.cmd from here http://cid-32d8666f4048075b.skydrive.li ... xShell.cmd then run by double clicking
Reboot your system and post the MBAM log and an update on how your system is running now  :tiphat:
VISTA
XPsp2
Avast (of course)
Image


http://spaces.msn.com/members/essexboymkn/

If ignorance is bliss  why aren't more people happy?

xxxxmoogle
New FixmyXP Member
New FixmyXP Member
Posts: 9
Joined: Fri Apr 04, 2008 2:14 am

Re: Trojans failed to disinfect?

Post by xxxxmoogle » Sun Apr 13, 2008 2:34 am

Malwarebytes' Anti-Malware 1.11
Database version: 619

Scan type: Quick Scan
Objects scanned: 43033
Time elapsed: 2 hour(s), 31 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6860a44b-5d3e-433d-a7b5-d517f810d0e7} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df47dd37-ac11-4a93-8e16-2b2364af0897} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Service (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdidrv32.sys (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\YourSiteBar (Trojan.Istbar) -> Delete on reboot.

Files Infected:
C:\Program Files\YourSiteBar\imagemap_normal.bmp (Trojan.Istbar) -> Quarantined and deleted successfully.
C:\Program Files\YourSiteBar\imagemap_over.bmp (Trojan.Istbar) -> Quarantined and deleted successfully.
C:\Program Files\YourSiteBar\Thumbs.db (Trojan.Istbar) -> Delete on reboot.
C:\Program Files\YourSiteBar\version.txt (Trojan.Istbar) -> Quarantined and deleted successfully.
C:\Program Files\YourSiteBar\yoursitebar.xml (Trojan.Istbar) -> Delete on reboot.
C:\WINDOWS\system32\ClickToFindandFixErrors.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_4.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_Intl.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_RON_Intl.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url (Rogue.Link) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) -> Delete on reboot.
---


It's still acting the same I suppose.
The thing that has been bothering me was the Security Center telling me my firewall is off everytime I log on.

User avatar
Essexboy
Administrator
Administrator
Posts: 903
Joined: Wed Sep 14, 2005 11:20 am
Location: Helston - Cornwall
Contact:

Re: Trojans failed to disinfect?

Post by Essexboy » Sun Apr 13, 2008 10:31 am

Are you still getting the firewall warning ? as the last report looked good
VISTA
XPsp2
Avast (of course)
Image


http://spaces.msn.com/members/essexboymkn/

If ignorance is bliss  why aren't more people happy?

xxxxmoogle
New FixmyXP Member
New FixmyXP Member
Posts: 9
Joined: Fri Apr 04, 2008 2:14 am

Re: Trojans failed to disinfect?

Post by xxxxmoogle » Sun Apr 13, 2008 11:02 pm

yeah I'm still getting that warning, I just try to avoid clicking it.
Do you by any chance know how to fix the explorer.exe task in the taskmanger?
That's just one of the other problems I'm experiencing still...

Thanks for all the help, I really appreciate it.
I have no idea where my comp would be if I hadn't found this forum! :ybiggrin:

edit:

Oh yeah, every system restore I've attempted last march
never went through, but always just failed...Is there a solution to that?
Last edited by xxxxmoogle on Sun Apr 13, 2008 11:07 pm, edited 1 time in total.

User avatar
Essexboy
Administrator
Administrator
Posts: 903
Joined: Wed Sep 14, 2005 11:20 am
Location: Helston - Cornwall
Contact:

Re: Trojans failed to disinfect?

Post by Essexboy » Mon Apr 14, 2008 7:25 pm

OK reference the firewall there is a neat solution including necessary reg files here http://forum.oscr.arizona.edu/showthread.php?t=2284
Do you by any chance know how to fix the explorer.exe task in the taskmanger?
That's just one of the other problems I'm experiencing still...
Could you give an explanation of this  error :tiphat:
Oh yeah, every system restore I've attempted last march
never went through, but always just failed...Is there a solution to that?
And this  :tiphat:
VISTA
XPsp2
Avast (of course)
Image


http://spaces.msn.com/members/essexboymkn/

If ignorance is bliss  why aren't more people happy?

Post Reply