1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Popups: WinAntiVirus, SystemDoctor, others. HJT, AVG AntiSpyware, Active log posted

Discussion in 'Virus & Other Malware Removal' started by platinasti, Feb 13, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. platinasti

    platinasti Thread Starter

    Joined:
    Nov 7, 2006
    Messages:
    20
    I've been getting popups for a few days. Mainly for WinAntivirus and SystemDoctor, but occasionally another that I forget.

    I have run the scan with; Avast, Spyboot Search&Destroy, AdAdware, HijackThis, SmitfraudFix, VundoFix (didnt find anything), ATF-Cleaner, Ewido anti-spyware, Panda's ActiveScan, OiUninstaller- following instructions from similar Thread for popups.

    It takes me hours to do all of that scans and none of them did not fix the problem.

    Any help would be extremely appreciated. :)

    If that would help you I posted my reports from HijackThis, Ewido anti-spyware and
    Panda's ActiveScan;
    ..................................................................................................................................

    Logfile of HijackThis v1.99.1
    Scan saved at 9:12:12, on 13.2.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\FolderSize\FolderSizeSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\sistray.EXE
    C:\WINDOWS\system32\khooker.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Dict r&jecnik - C:\IE7\rjecnik.htm
    O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Map 6\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Map 6\InstFred.ocx
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Map 6\AcPreview.ocx
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

    ..................................................................................................................................

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 9:02:56 13.2.2007

    + Scan result:



    C:\Download Programi\Zaštita\OINUninstaller.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\Documents and Settings\Windows\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Documents and Settings\Windows\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.


    ::Report end

    ..................................................................................................................................


    Incident Status Location

    Adware:adware/navipromo Not disinfected c:\windows\system32\huimew_nav.dat
    Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
    Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\HUIMEW.EXE
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Windows\Cookies\[email protected][2].txt
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Windows\Cookies\[email protected][1].txt
    Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\FOUND.002\FILE0582.CHK
    Potentially unwanted tool:Application/Processor Not disinfected C:\Download Programi\Zaštita\SmitfraudFix\Process.exe
     
  2. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Could you please rename Hijackthis.exe to fixvundo and press enter. Then post another Hijackthis log.

    Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
    and save to the desktop.

    1. Double click on combo.exe & follow the prompts.
    2. When finished, it will produce a logfile located at C:\ComboFix.txt.
    3. Post the contents of that log in your next reply with a new hijackthis log.

    Note:
    Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
     
  3. platinasti

    platinasti Thread Starter

    Joined:
    Nov 7, 2006
    Messages:
    20
    Logfile of HijackThis v1.99.1
    Scan saved at 12:24:14, on 13.2.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\FolderSize\FolderSizeSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\sistray.EXE
    C:\WINDOWS\system32\khooker.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Hijackthis\fixvundo.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Dict r&jecnik - C:\IE7\rjecnik.htm
    O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Map 6\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Map 6\InstFred.ocx
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Map 6\AcPreview.ocx
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

    .................................................................................................................................

    ComboFix Report;

    "Windows" - 07-02-13 12:26:22 Service Pack 2
    ComboFix 07-02-11 - Running from: "C:\Documents and Settings\Windows\Desktop"

    /wow section not completed - STAGE #4

    ((((((((((((((((((((((((((((((( Files Created from 2007-01-13 to 2007-02-13 ))))))))))))))))))))))))))))))))))


    2007-02-12 16:12 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-02-12 14:46 <DIR> d-------- C:\VundoFix Backups
    2007-02-12 14:39 <DIR> d-------- C:\Program Files\Java
    2007-02-12 14:38 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-02-09 09:43 <DIR> d-------- C:\DOCUME~1\Windows\Application Data\Ethereal
    2007-02-09 09:41 <DIR> d-------- C:\Program Files\Uniblue
    2007-02-09 09:41 <DIR> d-------- C:\DOCUME~1\Windows\Application Data\Uniblue
    2007-02-09 08:52 <DIR> d-------- C:\Program Files\Ethereal
    2007-02-06 14:39 <DIR> d-------- C:\Program Files\Panicware
    2007-02-01 11:46 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2007-02-01 11:42 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
    2007-01-31 08:07 <DIR> d-------- C:\Program Files\Hattrick Forever
    2007-01-30 14:03 5,632 --a------ C:\WINDOWS\system32\udcpm.dll
    2007-01-30 14:03 <DIR> d-------- C:\UDC Snapshots
    2007-01-30 14:03 <DIR> d-------- C:\Program Files\Universal Document Converter
    2007-01-29 12:19 <DIR> d-------- C:\Program Files\lineup2win
    2007-01-27 13:53 <DIR> d-------- C:\Program Files\Hattrick Viewer
    2007-01-26 14:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\netchviewer.de
    2007-01-26 14:26 <DIR> dr--s---- C:\WINDOWS\assembly
    2007-01-26 14:24 <DIR> d-------- C:\WINDOWS\Microsoft.NET
    2007-01-19 12:44 <DIR> d--h----- C:\BJPrinter
    2007-01-18 09:34 <DIR> d-------- C:\Program Files\XoftSpySE
    2007-01-18 07:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-01-18 07:49 <DIR> d-------- C:\Program Files\Grisoft
    2007-01-17 11:41 1,906 --a------ C:\WINDOWS\system32\tmp.reg
    2007-01-17 11:39 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
    2007-01-17 09:44 <DIR> d--hs---- C:\FOUND.002
    2007-01-16 07:36 <DIR> d-------- C:\WINDOWS\pss
    2007-01-14 15:36 <DIR> d-------- C:\WINDOWS\ie7updates


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-01-29 12:19 290816 --------- C:\WINDOWS\setup1.exe
    2007-01-18 07:32 200 --a------ C:\WINDOWS\audc70ui.dat
    2007-01-15 18:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe
    2007-01-15 18:26 23352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-01-15 18:25 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-01-15 18:23 90112 --a------ C:\WINDOWS\system32\avastss.scr
    2007-01-11 12:28 16224 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
    2007-01-11 12:28 -------- d-------- C:\Program Files\hamachi
    2007-01-11 12:28 -------- d-------- C:\DOCUME~1\Windows\Application Data\hamachi
    2007-01-09 11:53 -------- d-------- C:\Program Files\msn messenger
    2007-01-08 08:04 20480 --a------ C:\WINDOWS\normaliz.dll
    2007-01-04 23:26 -------- d-------- C:\Program Files\sis compatible vga v2.22
    2006-12-21 00:56 94424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
    2006-12-21 00:56 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
    2006-12-21 00:51 31560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SiS Tray"="C:\\WINDOWS\\system32\\sistray.EXE"
    "SiS KHooker"="C:\\WINDOWS\\system32\\khooker.exe"
    "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
    "UDC Integration"=""
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
    "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
    "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\Disabled]
    "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
    "item"="Adobe Reader Speed Launch"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\IVTCOR~1\\BLUESO~1\\BLUESO~1.EXE "
    "item"="BlueSoleil"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msnmsgr"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="NeroCheck"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RSD_HDDThermo]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="HDD Thermometer"
    "hkey"="HKCU"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="RegistryBooster"
    "hkey"="HKCU"
    "command"="C:\\Program Files\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="winampa"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Winamp\\winampa.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "BITS"=dword:00000002


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    Usnsvc REG_MULTI_SZ usnsvc\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\XoftSpySE.job


    ********************************************************************

    catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    detected NTDLL code modification:
    ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

    scanning hidden processes ...

    HUIMEW.EXE [2552]

    scanning hidden services ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    huimew = c:\windows\system32\huimew.exe huimew

    scanning hidden files ...

    C:\WINDOWS\system32\huimew.exe 278528 bytes
    C:\WINDOWS\system32\huimew.dat 16384 bytes
    C:\WINDOWS\system32\huimew_nav.dat 278528 bytes
    C:\WINDOWS\system32\huimew_navps.dat 16384 bytes
    C:\WINDOWS\Prefetch\HUIMEW.EXE-2A05DEB6.pf 32768 bytes

    scan completed successfully
    hidden processes: 1
    hidden services: 0
    hidden files: 5

    ********************************************************************

    Completion time: 07-02-13 12:27:55
     
  4. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Download GMER's application from here:
    http://www.majorgeeks.com/GMER_d5198.html
    Unzip it and start the GMER.exe
    Click the Rootkit tab and click the Scan button.
    Once done, click the Copy button.
    This will copy the results to your clipboard.
    Paste the results in your next reply.
    Warning ! Please, do not select the "Show all" checkbox during the scan.

    If you're having problems with running GMER.exe, try it in safe mode.
     
  5. platinasti

    platinasti Thread Starter

    Joined:
    Nov 7, 2006
    Messages:
    20
    GMER 1.0.12.12027 - http://www.gmer.net
    Rootkit scan 2007-02-14 08:06:09
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.12 ----

    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

    ---- User code sections - GMER 1.0.12 ----

    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE[660] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE[660] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE[660] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE[660] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE[660] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002D81
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE[660] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002CF3
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE[660] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002EF4
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE[660] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002E63
    .text C:\WINDOWS\SYSTEM32\SERVICES.EXE[828] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\SYSTEM32\SERVICES.EXE[828] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\SYSTEM32\SERVICES.EXE[828] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\SYSTEM32\SERVICES.EXE[828] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\SYSTEM32\SERVICES.EXE[828] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002D81
    .text C:\WINDOWS\SYSTEM32\SERVICES.EXE[828] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002CF3
    .text C:\WINDOWS\SYSTEM32\SERVICES.EXE[828] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002EF4
    .text C:\WINDOWS\SYSTEM32\SERVICES.EXE[828] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002E63
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1068] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1068] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1068] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1068] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1068] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002D81
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1068] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002CF3
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1068] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002EF4
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1068] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002E63
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1120] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002D81
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1120] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002CF3
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1120] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002EF4
    .text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1120] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002E63
    .text C:\WINDOWS\EXPLORER.EXE[1184] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\EXPLORER.EXE[1184] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\EXPLORER.EXE[1184] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\EXPLORER.EXE[1184] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\EXPLORER.EXE[1184] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002D81
    .text C:\WINDOWS\EXPLORER.EXE[1184] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002CF3
    .text C:\WINDOWS\EXPLORER.EXE[1184] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002EF4
    .text C:\WINDOWS\EXPLORER.EXE[1184] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002E63
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002D81
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002CF3
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002EF4
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002E63
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] USER32.dll!SetWindowLongA 77D4D60D 5 Bytes JMP 7E38C60B C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] USER32.dll!SetWindowLongW 77D4D62B 5 Bytes JMP 7E38C63C C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] USER32.dll!DialogBoxParamW 77D5662C 5 Bytes JMP 7E1F5415 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] USER32.dll!DialogBoxIndirectParamW 77D62043 5 Bytes JMP 7E38C510 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] USER32.dll!MessageBoxIndirectA 77D6A05A 5 Bytes JMP 7E38C491 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] USER32.dll!DialogBoxParamA 77D6B11C 5 Bytes JMP 7E38C4D5 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] USER32.dll!MessageBoxExW 77D80538 5 Bytes JMP 7E38C3D9 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] USER32.dll!MessageBoxExA 77D8055C 5 Bytes JMP 7E38C413 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] USER32.dll!DialogBoxIndirectParamA 77D86CAD 5 Bytes JMP 7E38C54B C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1288] USER32.dll!MessageBoxIndirectW 77D96093 5 Bytes JMP 7E38C44D C:\WINDOWS\system32\IEFRAME.dll
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE[1692] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE[1692] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE[1692] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE[1692] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE[1692] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002D81
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE[1692] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002CF3
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE[1692] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002EF4
    .text C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE[1692] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002E63
    .text C:\Download Programi\Zaštita\gmer.exe[2060] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
    .text C:\Download Programi\Zaštita\gmer.exe[2060] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
    .text C:\Download Programi\Zaštita\gmer.exe[2060] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
    .text C:\Download Programi\Zaštita\gmer.exe[2060] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
    .text C:\Download Programi\Zaštita\gmer.exe[2060] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002D81
    .text C:\Download Programi\Zaštita\gmer.exe[2060] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002CF3
    .text C:\Download Programi\Zaštita\gmer.exe[2060] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002EF4
    .text C:\Download Programi\Zaštita\gmer.exe[2060] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002E63
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2108] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2108] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2108] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2108] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2108] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002D81
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2108] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002CF3
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2108] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002EF4
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2108] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002E63
    .text C:\WINDOWS\SYSTEM32\HUIMEW.EXE[2176] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0172200E
    .text C:\WINDOWS\SYSTEM32\HUIMEW.EXE[2176] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01721DAF
    .text C:\WINDOWS\SYSTEM32\HUIMEW.EXE[2176] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01721CF2
    .text C:\WINDOWS\SYSTEM32\HUIMEW.EXE[2176] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0172191B
    .text C:\WINDOWS\SYSTEM32\HUIMEW.EXE[2176] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01722D81
    .text C:\WINDOWS\SYSTEM32\HUIMEW.EXE[2176] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01722CF3
    .text C:\WINDOWS\SYSTEM32\HUIMEW.EXE[2176] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 01722EF4
    .text C:\WINDOWS\SYSTEM32\HUIMEW.EXE[2176] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 01722E63
    .text C:\WINDOWS\system32\DfrgFat.exe[2804] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\system32\DfrgFat.exe[2804] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\system32\DfrgFat.exe[2804] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\system32\DfrgFat.exe[2804] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\system32\DfrgFat.exe[2804] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002D81
    .text C:\WINDOWS\system32\DfrgFat.exe[2804] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002CF3
    .text C:\WINDOWS\system32\DfrgFat.exe[2804] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002EF4
    .text C:\WINDOWS\system32\DfrgFat.exe[2804] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002E63
    .text C:\WINDOWS\system32\mmc.exe[3824] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
    .text C:\WINDOWS\system32\mmc.exe[3824] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
    .text C:\WINDOWS\system32\mmc.exe[3824] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
    .text C:\WINDOWS\system32\mmc.exe[3824] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
    .text C:\WINDOWS\system32\mmc.exe[3824] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002D81
    .text C:\WINDOWS\system32\mmc.exe[3824] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002CF3
    .text C:\WINDOWS\system32\mmc.exe[3824] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002EF4
    .text C:\WINDOWS\system32\mmc.exe[3824] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002E63

    ---- Processes - GMER 1.0.12 ----

    Process C:\WINDOWS\SYSTEM32\HUIMEW.EXE (*** hidden *** ) 2176
    Library C:\windows\system32\huimew.exe (*** hidden *** ) @ C:\WINDOWS\SYSTEM32\HUIMEW.EXE [2176] 0x00400000

    ---- Registry - GMER 1.0.12 ----

    Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] c:\windows\system32\huimew.exe huimew
    Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] c:\windows\system32\huimew.exe huimew
    Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] c:\windows\system32\huimew.exe huimew

    ---- Files - GMER 1.0.12 ----

    File C:\WINDOWS\system32\huimew.exe
    File C:\WINDOWS\system32\huimew.dat
    File C:\WINDOWS\system32\huimew_nav.dat
    File C:\WINDOWS\system32\huimew_navps.dat
    File C:\WINDOWS\Prefetch\HUIMEW.EXE-2A05DEB6.pf

    ---- EOF - GMER 1.0.12 ----
     
  6. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Error, will repost
     
  7. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Open GMER.exe
    Click the Rootkit tab and click the Scan button.
    Once done, click on the following Process in red
    Process C:\WINDOWS\SYSTEM32\HUIMEW.EXE (*** hidden *** ) 2176

    Right-Click on the hidden process and Click on Kill Process

    Click on the following File in red
    Library C:\windows\system32\huimew.exe (*** hidden *** ) @ C:\WINDOWS\SYSTEM32\HUIMEW.EXE [2176] 0x00400000

    Rigth-click on the hidden file and Click on Remove File

    Close GMER
    ==========================================

    Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C:) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Copy the part in bold below into notepad and save it as aftermath.bfu
    Save it in the same folder you made earlier (c:\BFU) and set Filetype to "All files"

    RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\huimew
    RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run|huimew
    FileDelete %SYSDIR%\huimew_navps.dat
    FileDelete %SYSDIR%\huimew_nav.dat
    FileDelete %SYSDIR%\huimew.dat
    FileDelete %SYSDIR%\huimew.exe
    FileDelete %SYSDIR%\huimew_m2s.xml
    FileDelete %WINDIR%\huimew.exe-*.pf


    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon [​IMG] and select EGDACCESS.bfu
    • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Behind the scriptline to execute field click the folder icon [​IMG] again and this time select aftermath.bfu
    • Press Execute and let it do it’s job.
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.

    Reboot and post a new HijackThis log.
     
  8. platinasti

    platinasti Thread Starter

    Joined:
    Nov 7, 2006
    Messages:
    20
    First off all I"m appreciative for the answer :) .

    Instead of 2176 in;
    -Process C:\WINDOWS\SYSTEM32\HUIMEW.EXE (*** hidden *** ) 2176
    there were number 2356.
    That number also appears in ;
    -Library C:\windows\system32\huimew.exe (*** hidden *** ) @ C:\WINDOWS\SYSTEM32\HUIMEW.EXE [2176] 0x00400000

    I Killed first Process, but I could not Remove this 2nd File (Library) because the option was inadmissible (no action was available).

    Scan with BFU proceeded normally.

    Here"s the HijackThis log;

    Logfile of HijackThis v1.99.1
    Scan saved at 8:45:31, on 15.2.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\FolderSize\FolderSizeSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\sistray.EXE
    C:\WINDOWS\system32\khooker.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hijackthis\fixvundo.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Dict r&jecnik - C:\IE7\rjecnik.htm
    O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Wiki_&Eng - C:\IE7\Wikipedia_Eng.html
    O8 - Extra context menu item: Wiki_&Hr - C:\IE7\Wikipedia_Hr.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Map 6\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Map 6\InstFred.ocx
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Map 6\AcPreview.ocx
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
     
  9. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Hopefully it worked, i need you to run GMER again and post the results. Thanks.
     
  10. platinasti

    platinasti Thread Starter

    Joined:
    Nov 7, 2006
    Messages:
    20
    GMER 1.0.12.12027 - http://www.gmer.net
    Rootkit scan 2007-02-15 14:51:01
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.12 ----

    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

    ---- User code sections - GMER 1.0.12 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[964] USER32.dll!SetWindowLongA 77D4D60D 5 Bytes JMP 7E38C60B C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[964] USER32.dll!SetWindowLongW 77D4D62B 5 Bytes JMP 7E38C63C C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[964] USER32.dll!DialogBoxParamW 77D5662C 5 Bytes JMP 7E1F5415 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[964] USER32.dll!DialogBoxIndirectParamW 77D62043 5 Bytes JMP 7E38C510 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[964] USER32.dll!MessageBoxIndirectA 77D6A05A 5 Bytes JMP 7E38C491 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[964] USER32.dll!DialogBoxParamA 77D6B11C 5 Bytes JMP 7E38C4D5 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[964] USER32.dll!MessageBoxExW 77D80538 5 Bytes JMP 7E38C3D9 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[964] USER32.dll!MessageBoxExA 77D8055C 5 Bytes JMP 7E38C413 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[964] USER32.dll!DialogBoxIndirectParamA 77D86CAD 5 Bytes JMP 7E38C54B C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[964] USER32.dll!MessageBoxIndirectW 77D96093 5 Bytes JMP 7E38C44D C:\WINDOWS\system32\IEFRAME.dll

    ---- EOF - GMER 1.0.12 ----
     
  11. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Just want to make sure, its fixed.

    Download F-Secure Blacklight (blbeta.exe) to your C:\ drive.

    1. Open a command window by going to Start > Run and typing: cmd

    2. Copy/paste or type the following in the command window:



    C:\blbeta.exe /expert



    3. Accept the user agreement.

    4. Click Scan.

    5. After the scan finishes, click on "Next", then Exit.

    6. BlackLight will create a log in your C:\ drive with the name "fsbl-xxxxxxx.log". Please post that log.
     
  12. platinasti

    platinasti Thread Starter

    Joined:
    Nov 7, 2006
    Messages:
    20
    Yes, everything is doing just fine, no more popups!! (y)

    Here"s the log;

    02/16/07 07:27:27 [Info]: BlackLight Engine 1.0.55 initialized
    02/16/07 07:27:27 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    02/16/07 07:27:27 [Note]: 7019 4
    02/16/07 07:27:27 [Note]: 7005 0
    02/16/07 07:27:38 [Note]: 7006 0
    02/16/07 07:27:38 [Note]: 7022 0
    02/16/07 07:27:38 [Note]: 7011 276
    02/16/07 07:27:38 [Note]: 7026 0
    02/16/07 07:27:38 [Note]: 7026 0
    02/16/07 07:27:53 [Note]: FSRAW library version 1.7.1021
    02/16/07 07:36:54 [Note]: 7007 0
     
  13. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Could you post one last HIjackthis log. Thanks.
     
  14. platinasti

    platinasti Thread Starter

    Joined:
    Nov 7, 2006
    Messages:
    20
    Logfile of HijackThis v1.99.1
    Scan saved at 14:36:12, on 16.2.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\FolderSize\FolderSizeSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\sistray.EXE
    C:\WINDOWS\system32\khooker.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hamachi\hamachi.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\fixvundo.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Dict r&jecnik - C:\IE7\rjecnik.htm
    O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Wiki_&Eng - C:\IE7\Wikipedia_Eng.html
    O8 - Extra context menu item: Wiki_&Hr - C:\IE7\Wikipedia_Hr.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Map 6\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Map 6\InstFred.ocx
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Map 6\AcPreview.ocx
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
     
  15. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Your log is clean!!!! (y)

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.


    Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

    To SET A NEW RESTORE POINT:
    1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
    2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    3. Then go to Start > Run and type: Cleanmgr
    4. Click "OK".
    5. Click the "More Options" Tab.
    6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

    Graphics for doing this are in the following links if you need them.
    How to Create a Restore Point.
    How to use Cleanmgr.

    ======================================

    Here is some useful information on keeping your computer clean:
    1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
    2. If you don't have a Firewall installed, please choose from the following:
    3. If you don't have a Anti-Virus installed, please download the following free program:
    4. Here are two great Preventive programs:
      • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
      • IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
    5. Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
      • Red for Warning
      • Yellow for Use Caution
      • Green for Safe
      • Grey for Unknown

      Here are the link to install SiteAdisor in Internet Explorer and Firefox
    6. Anti-Spyware Programs I Recommend:
    7. For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place]
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/543673

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice