1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Urgent Help needed, Trend Chipaway showing hard-disk boot virus.

Discussion in 'Virus & Other Malware Removal' started by omar_s1, Apr 8, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. omar_s1

    omar_s1 Thread Starter

    Joined:
    Apr 8, 2008
    Messages:
    3
    Hi people I need some advice in fixing my PC.

    Trend Chipaway has found a bootable virus on my hard-disk and informs me of this everytime I switch on. My Virgin PC Guard has found it to be Ntos.exe. I think I've killed a portion of it by finding the infected files in the windows system 32 folder, but Trend is still giving me the message and when I boot up in normal mode Internet Explorer is nigh on unusuable and uber slow.

    I've attached logs from Hijack this and combofix for your guidance.

    Please help me as soon as you can, I have a job application I need to submit online by sunday, so any help you could offer me in resolving this issue before then would be extremely greatly appreciated.

    Also the logs of both scans were taken when the pc was in safe mode.

    Thanks.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:16:23, on 07/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
    O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
    O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\RunServices: [Windoxs Update Center] W32RfSA.exe
    O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139246004662
    O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://webgames.d.tmsrv.com/c=2fdd7.../p/release/popcap/wg_zuma/popcaploader_v6.cab
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
    O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

    --
    End of file - 7163 bytes


    ComboFix 08-04-08.4 - Administrator 2008-04-08 20:21:49.1 - FAT32x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.79 [GMT 1:00]
    Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\m.saleem\Local Settings\Temporary Internet Files\temp.dmf

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
    .

    2008-04-06 23:56 . 2008-04-06 23:56 <DIR> d--hs---- C:\FOUND.003
    2008-04-06 23:22 . 2004-08-03 23:56 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
    2008-04-06 23:22 . 2001-08-17 21:37 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
    2008-04-06 23:22 . 2001-08-17 21:37 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
    2008-04-06 23:22 . 2001-08-17 21:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
    2008-04-06 23:22 . 2004-08-03 21:29 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
    2008-04-06 23:22 . 2001-08-17 21:36 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
    2008-04-06 23:22 . 2001-08-17 11:11 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
    2008-04-06 23:22 . 2001-08-17 21:37 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
    2008-04-06 23:21 . 2004-08-03 21:29 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
    2008-04-06 23:21 . 2004-08-03 23:56 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
    2008-04-06 23:18 . 2001-08-17 12:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
    2008-04-06 23:17 . 2001-08-23 13:00 185,344 --a------ C:\WINDOWS\system32\dllcache\thawbrkr.dll
    2008-04-06 23:16 . 2001-08-17 11:51 138,528 --a------ C:\WINDOWS\system32\dllcache\tgiulnt5.sys
    2008-04-06 23:16 . 2001-08-17 13:56 81,408 --a------ C:\WINDOWS\system32\dllcache\tgiul50.dll
    2008-04-06 23:14 . 2002-11-13 09:57 352,128 -ra------ C:\WINDOWS\system32\OLD682.tmp
    2008-04-06 23:13 . 2001-08-17 21:36 386,560 --a------ C:\WINDOWS\system32\dllcache\sgiul50.dll
    2008-04-06 23:12 . 2001-08-17 21:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
    2008-04-06 23:11 . 2001-08-17 12:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
    2008-04-06 23:10 . 2001-08-17 13:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
    2008-04-06 23:09 . 2004-08-03 21:59 2,015,232 --a------ C:\WINDOWS\system32\dllcache\ntkrpamp.exe
    2008-04-06 23:08 . 2001-08-23 13:00 111,104 --a------ C:\WINDOWS\system32\dllcache\mtstocom.exe
    2008-04-06 23:08 . 2004-08-03 22:10 49,024 --a------ C:\WINDOWS\system32\dllcache\mstape.sys
    2008-04-06 23:08 . 2001-08-17 13:02 35,200 --a------ C:\WINDOWS\system32\dllcache\msgame.sys
    2008-04-06 23:08 . 2004-08-03 22:00 22,016 --a------ C:\WINDOWS\system32\dllcache\msircomm.sys
    2008-04-06 23:08 . 2001-08-17 12:52 17,280 --a------ C:\WINDOWS\system32\dllcache\mraid35x.sys
    2008-04-06 23:08 . 2001-08-17 12:57 16,128 --a------ C:\WINDOWS\system32\dllcache\modemcsa.sys
    2008-04-06 23:08 . 2001-08-17 12:48 12,416 --a------ C:\WINDOWS\system32\dllcache\msriffwv.sys
    2008-04-06 23:08 . 2001-08-17 12:48 6,016 --a------ C:\WINDOWS\system32\dllcache\msfsio.sys
    2008-04-06 23:08 . 2001-08-17 13:00 2,944 --a------ C:\WINDOWS\system32\dllcache\msmpu401.sys
    2008-04-06 23:06 . 2001-08-17 21:36 372,824 --a------ C:\WINDOWS\system32\dllcache\iconf32.dll
    2008-04-06 23:05 . 2004-08-03 23:56 702,845 --a------ C:\WINDOWS\system32\dllcache\i81xdnt5.dll
    2008-04-06 23:04 . 2001-08-17 13:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
    2008-04-06 23:03 . 2001-08-17 12:28 634,134 --a------ C:\WINDOWS\system32\dllcache\el656ct5.sys
    2008-04-06 23:02 . 2001-08-17 11:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
    2008-04-06 23:01 . 2001-08-17 21:36 256,512 --a------ C:\WINDOWS\system32\dllcache\devcon32.dll
    2008-04-06 23:00 . 2001-08-17 11:13 980,034 --a------ C:\WINDOWS\system32\dllcache\cicap.sys
    2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_1143.nls
    2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_1142.nls
    2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_1141.nls
    2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_1140.nls
    2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_1047.nls
    2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_10021.nls
    2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_10005.nls
    2008-04-06 22:56 . 2005-12-12 13:00 369,664 --a------ C:\WINDOWS\system32\dllcache\asp51.dll
    2008-04-06 22:55 . 2001-08-17 13:07 56,960 --a------ C:\WINDOWS\system32\dllcache\aic78xx.sys
    2008-04-06 22:55 . 2001-08-17 13:07 55,168 --a------ C:\WINDOWS\system32\dllcache\aic78u2.sys
    2008-04-06 22:55 . 2001-08-17 11:11 27,678 --a------ C:\WINDOWS\system32\dllcache\ali5261.sys
    2008-04-06 22:55 . 2001-08-17 12:49 26,624 --a------ C:\WINDOWS\system32\dllcache\alifir.sys
    2008-04-06 22:55 . 2001-08-23 13:00 19,456 --a------ C:\WINDOWS\system32\dllcache\agt040d.dll
    2008-04-06 22:55 . 2001-08-17 11:11 16,969 --a------ C:\WINDOWS\system32\dllcache\amb8002.sys
    2008-04-06 22:55 . 2001-08-17 12:52 12,800 --a------ C:\WINDOWS\system32\dllcache\aha154x.sys
    2008-04-06 22:55 . 2001-08-17 12:52 12,032 --a------ C:\WINDOWS\system32\dllcache\amsint.sys
    2008-04-06 22:55 . 2001-08-17 12:51 5,248 --a------ C:\WINDOWS\system32\dllcache\aliide.sys
    2008-04-06 22:52 . 2001-08-17 21:37 24,576 --a------ C:\WINDOWS\system32\dllcache\agcgauge.ax
    2008-04-06 22:52 . 2005-12-12 13:00 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0401.dll
    2008-04-06 22:50 . 2005-12-12 13:00 189,440 --a------ C:\WINDOWS\system32\dllcache\smtpadm.dll
    2008-04-06 22:50 . 2001-08-17 13:56 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
    2008-04-06 22:50 . 2005-12-12 13:00 8,192 --a------ C:\WINDOWS\system32\dllcache\staxmem.dll
    2008-04-06 22:50 . 2005-12-12 13:00 7,168 --a------ C:\WINDOWS\system32\dllcache\wamregps.dll
    2008-04-06 22:42 . 2008-04-06 22:42 <DIR> d--hs---- C:\WINDOWS\system32\dllcache
    2008-04-06 19:43 . 2008-04-06 19:43 <DIR> d-------- C:\VundoFix Backups
    2008-04-06 19:42 . 2008-04-06 19:42 <DIR> d-------- C:\Rustbfix
    2008-04-06 17:31 . 2008-04-06 17:31 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-04-06 17:30 . 2008-04-06 10:24 <DIR> d-------- C:\SDFix
    2008-04-06 17:27 . 2008-04-06 17:27 <DIR> d-------- C:\!KillBox
    2008-04-06 17:23 . 2008-04-06 17:23 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
    2008-04-06 17:17 . 2008-04-06 17:17 <DIR> d--hs---- C:\FOUND.002
    2008-04-04 00:18 . 2008-04-06 17:18 234,487,808 --a------ C:\WINDOWS\MEMORY.DMP
    2008-03-29 22:28 . 2008-03-29 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
    2008-03-29 22:26 . 2008-03-29 22:26 <DIR> d-------- C:\Program Files\Trojan Remover
    2008-03-29 22:26 . 2008-03-29 22:26 <DIR> d-------- C:\Documents and Settings\m.saleem\Application Data\Simply Super Software
    2008-03-29 22:26 . 2008-03-29 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
    2008-03-29 22:26 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
    2008-03-29 22:26 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
    2008-03-29 22:26 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
    2008-03-29 22:26 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
    2008-03-28 11:27 . 2008-04-06 23:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-28 11:27 . 2008-03-28 11:27 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-26 16:25 . 2008-03-26 16:25 <DIR> d--hs---- C:\FOUND.001
    2008-03-17 13:26 . 2008-03-17 13:26 <DIR> d--hs---- C:\FOUND.000
    2008-03-16 15:14 . 2008-03-16 15:14 <DIR> d-------- C:\Program Files\iTunes
    2008-03-16 15:11 . 2008-03-16 15:11 <DIR> d-------- C:\Program Files\Bonjour
    2008-03-16 15:10 . 2008-03-16 15:10 <DIR> d-------- C:\Program Files\QuickTime
    2008-03-16 15:05 . 2008-03-16 15:05 <DIR> d-------- C:\Program Files\Apple Software Update
    2008-03-16 15:03 . 2008-03-16 15:03 <DIR> d-------- C:\Program Files\Common Files\Apple
    2008-03-16 15:03 . 2008-03-16 15:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-06 16:02 53,192 ----a-w C:\WINDOWS\system32\drivers\rp_skt32.sys
    2008-03-04 10:58 44,032 ----a-w C:\winfyxq.exe
    2008-02-23 17:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Virgin Broadband
    2008-02-17 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
    2008-02-12 17:44 401,058 ----a-w C:\WINDOWS\system32\asmaa Allah.scr
    2008-02-10 22:38 --------- d-----w C:\Program Files\Common Files\Java
    .

    ------- Sigcheck -------

    2005-12-12 12:00 671744 c98acbd1ab8323b66dfa96f4763c67e2 C:\WINDOWS\system32\wininet.dll
    2006-03-04 04:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
    2006-05-10 06:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
    2006-06-23 12:25 664576 64ce26db72810b30f7855ea51e1df836 C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
    2004-08-04 08:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\wininet.dll

    2005-12-12 12:00 359936 780fe678dde99b809e8336fb74d587a1 C:\WINDOWS\system32\drivers\tcpip.sys
    2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
    2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
    2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\tcpip.sys

    2005-12-12 12:00 1182720 320d5b5f235810a265339c483ab76b15 C:\WINDOWS\explorer.exe
    2004-08-04 08:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2005-12-12 12:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 18:49 2061552]
    "PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 14:10 310000]
    "-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 14:10 13552]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
    "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-03-27 18:10 874064]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "Windoxs Update Center"="W32RfSA.exe" []

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2005-12-12 12:00 15360]
    "ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-09-17 18:04:00 121856]
    EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2005-10-09 22:27:26 135680]
    ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2006-07-01 15:05:27 475136]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoDesktopCleanupWizard"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoInstrumentation"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.ffds"= ffdshow.ax
    "VIDC.ACDV"= ACDV.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ScanPanel.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanPanel.lnk
    backup=C:\WINDOWS\pss\ScanPanel.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boots Insert Detect]
    C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
    C:\Program Files\BraveSentry\BraveSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
    --------- 2004-12-02 18:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Explorer]
    C:\WINDOWS\iexplorer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
    C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    --a------ 2004-08-04 06:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    C:\WINDOWS\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    --a------ 2004-08-04 06:31 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
    C:\Program Files\Napster\napster.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWFX6_0001_N68M2301]
    C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    --a------ 2004-08-04 06:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    --a------ 2004-08-04 06:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
    --a------ 2006-06-05 17:00 208941 C:\Program Files\Real\RealOne Player\realplay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
    -ra------ 2002-07-12 02:15 106496 C:\WINDOWS\SiSUSBrg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
    C:\WINDOWS\system32\wind32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemSv121]
    C:\WINDOWS\system32\n2ewma1xxsv2234.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2006-06-05 17:00 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
    C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
    C:\Windows\xpupdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windoxs Update Center]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2006-11-30 21:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
    --------- 2004-06-08 18:33 69721 C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SonicStage Back-End Service"=3 (0x3)
    "PDEngine"=3 (0x3)
    "PDAgent"=2 (0x2)
    "PACSPTISVR"=3 (0x3)
    "MSCSPTISRV"=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\WINDOWS\\System32\\mqsvc.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Real\\RealOne Player\\TRUEPLAY.EXE"=
    "C:\\Program Files\\ZyDAS Technology Corporation\\ZyDAS_802.11g_Utility\\ZDWlan.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Real\\RealOne Player\\RealPlay.exe"=
    "C:\\Program Files\\Datel\\PSP WIFI Max\\PSPWM.EXE"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    R3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-08-17 14:43]
    S3 ADPK;TRUST [email protected] 300S;C:\WINDOWS\system32\Drivers\SQcaptur.sys [2002-05-06 13:58]
    S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 18:44]
    S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2005-12-12 12:00]
    S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-01-24 15:38]
    S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-01-24 15:38]
    S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-01-24 15:38]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-03-16 14:05:32 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-08 20:25:10
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-04-08 20:26:41
    ComboFix-quarantined-files.txt 2008-04-08 19:26:38
    Pre-Run: 3,661,938,688 bytes free
    Post-Run: 3,652,239,360 bytes free
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    If you still need help post a new hijackthis log and make sure it's in normal mode, not safe mode.
     
  3. omar_s1

    omar_s1 Thread Starter

    Joined:
    Apr 8, 2008
    Messages:
    3
    I tried to do a new hijack this log yesterday, but windows is refusing to load in any mode. When I tried to boot via disk I get the recovery console and also a windows installation screen which gives me the option to repair. If I do a new windows installation will it wipe the contents of my hard-drive?

    Also I have two hard-drives on my pc. The infected one is partitioned into C & D drives. I also have an F drive which I can boot up, but that has a different windows installation on it and is working fine. I just need to get into the C/D operating drive. Any advice would be greatly appreciated, thanks.
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    If you do a repair the data should be ok but you will have to reinstall your applications.
    Can you boot to the F: drive and save your data to that drive so you can format and reload the c: drive?
     
  5. omar_s1

    omar_s1 Thread Starter

    Joined:
    Apr 8, 2008
    Messages:
    3
    Done. Sometimes the simplest solutions are the best :)

    Do you need me to post another Hijack this log just to be certain its all clear? Everything does seem to be running fine. Also one other question, I was using Virgin Pcguard for antivirus and firewall, which I believe is produced by Authentium, am I ok sticking with that or would you recommend a better product?

    Thanks.
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I think one AV is as good as another if you keep it updated. There are some other suggestions in this thread: Security Help Tools
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/701669

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice