Urgent Help needed, Trend Chipaway showing hard-disk boot virus.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

omar_s1

Thread Starter
Joined
Apr 8, 2008
Messages
3
Hi people I need some advice in fixing my PC.

Trend Chipaway has found a bootable virus on my hard-disk and informs me of this everytime I switch on. My Virgin PC Guard has found it to be Ntos.exe. I think I've killed a portion of it by finding the infected files in the windows system 32 folder, but Trend is still giving me the message and when I boot up in normal mode Internet Explorer is nigh on unusuable and uber slow.

I've attached logs from Hijack this and combofix for your guidance.

Please help me as soon as you can, I have a job application I need to submit online by sunday, so any help you could offer me in resolving this issue before then would be extremely greatly appreciated.

Also the logs of both scans were taken when the pc was in safe mode.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:16:23, on 07/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [Windoxs Update Center] W32RfSA.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139246004662
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://webgames.d.tmsrv.com/c=2fdd7.../p/release/popcap/wg_zuma/popcaploader_v6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 7163 bytes


ComboFix 08-04-08.4 - Administrator 2008-04-08 20:21:49.1 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.79 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\m.saleem\Local Settings\Temporary Internet Files\temp.dmf

.
((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-06 23:56 . 2008-04-06 23:56 <DIR> d--hs---- C:\FOUND.003
2008-04-06 23:22 . 2004-08-03 23:56 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-04-06 23:22 . 2001-08-17 21:37 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2008-04-06 23:22 . 2001-08-17 21:37 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-04-06 23:22 . 2001-08-17 21:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-04-06 23:22 . 2004-08-03 21:29 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-04-06 23:22 . 2001-08-17 21:36 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-04-06 23:22 . 2001-08-17 11:11 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-04-06 23:22 . 2001-08-17 21:37 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-04-06 23:21 . 2004-08-03 21:29 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-04-06 23:21 . 2004-08-03 23:56 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2008-04-06 23:18 . 2001-08-17 12:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-04-06 23:17 . 2001-08-23 13:00 185,344 --a------ C:\WINDOWS\system32\dllcache\thawbrkr.dll
2008-04-06 23:16 . 2001-08-17 11:51 138,528 --a------ C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2008-04-06 23:16 . 2001-08-17 13:56 81,408 --a------ C:\WINDOWS\system32\dllcache\tgiul50.dll
2008-04-06 23:14 . 2002-11-13 09:57 352,128 -ra------ C:\WINDOWS\system32\OLD682.tmp
2008-04-06 23:13 . 2001-08-17 21:36 386,560 --a------ C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-04-06 23:12 . 2001-08-17 21:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-04-06 23:11 . 2001-08-17 12:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-04-06 23:10 . 2001-08-17 13:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-04-06 23:09 . 2004-08-03 21:59 2,015,232 --a------ C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-04-06 23:08 . 2001-08-23 13:00 111,104 --a------ C:\WINDOWS\system32\dllcache\mtstocom.exe
2008-04-06 23:08 . 2004-08-03 22:10 49,024 --a------ C:\WINDOWS\system32\dllcache\mstape.sys
2008-04-06 23:08 . 2001-08-17 13:02 35,200 --a------ C:\WINDOWS\system32\dllcache\msgame.sys
2008-04-06 23:08 . 2004-08-03 22:00 22,016 --a------ C:\WINDOWS\system32\dllcache\msircomm.sys
2008-04-06 23:08 . 2001-08-17 12:52 17,280 --a------ C:\WINDOWS\system32\dllcache\mraid35x.sys
2008-04-06 23:08 . 2001-08-17 12:57 16,128 --a------ C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-04-06 23:08 . 2001-08-17 12:48 12,416 --a------ C:\WINDOWS\system32\dllcache\msriffwv.sys
2008-04-06 23:08 . 2001-08-17 12:48 6,016 --a------ C:\WINDOWS\system32\dllcache\msfsio.sys
2008-04-06 23:08 . 2001-08-17 13:00 2,944 --a------ C:\WINDOWS\system32\dllcache\msmpu401.sys
2008-04-06 23:06 . 2001-08-17 21:36 372,824 --a------ C:\WINDOWS\system32\dllcache\iconf32.dll
2008-04-06 23:05 . 2004-08-03 23:56 702,845 --a------ C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-04-06 23:04 . 2001-08-17 13:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-04-06 23:03 . 2001-08-17 12:28 634,134 --a------ C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-04-06 23:02 . 2001-08-17 11:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-04-06 23:01 . 2001-08-17 21:36 256,512 --a------ C:\WINDOWS\system32\dllcache\devcon32.dll
2008-04-06 23:00 . 2001-08-17 11:13 980,034 --a------ C:\WINDOWS\system32\dllcache\cicap.sys
2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_1143.nls
2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_1142.nls
2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_1141.nls
2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_1140.nls
2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_1047.nls
2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_10021.nls
2008-04-06 22:59 . 2001-08-23 13:00 66,082 --a------ C:\WINDOWS\system32\dllcache\c_10005.nls
2008-04-06 22:56 . 2005-12-12 13:00 369,664 --a------ C:\WINDOWS\system32\dllcache\asp51.dll
2008-04-06 22:55 . 2001-08-17 13:07 56,960 --a------ C:\WINDOWS\system32\dllcache\aic78xx.sys
2008-04-06 22:55 . 2001-08-17 13:07 55,168 --a------ C:\WINDOWS\system32\dllcache\aic78u2.sys
2008-04-06 22:55 . 2001-08-17 11:11 27,678 --a------ C:\WINDOWS\system32\dllcache\ali5261.sys
2008-04-06 22:55 . 2001-08-17 12:49 26,624 --a------ C:\WINDOWS\system32\dllcache\alifir.sys
2008-04-06 22:55 . 2001-08-23 13:00 19,456 --a------ C:\WINDOWS\system32\dllcache\agt040d.dll
2008-04-06 22:55 . 2001-08-17 11:11 16,969 --a------ C:\WINDOWS\system32\dllcache\amb8002.sys
2008-04-06 22:55 . 2001-08-17 12:52 12,800 --a------ C:\WINDOWS\system32\dllcache\aha154x.sys
2008-04-06 22:55 . 2001-08-17 12:52 12,032 --a------ C:\WINDOWS\system32\dllcache\amsint.sys
2008-04-06 22:55 . 2001-08-17 12:51 5,248 --a------ C:\WINDOWS\system32\dllcache\aliide.sys
2008-04-06 22:52 . 2001-08-17 21:37 24,576 --a------ C:\WINDOWS\system32\dllcache\agcgauge.ax
2008-04-06 22:52 . 2005-12-12 13:00 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0401.dll
2008-04-06 22:50 . 2005-12-12 13:00 189,440 --a------ C:\WINDOWS\system32\dllcache\smtpadm.dll
2008-04-06 22:50 . 2001-08-17 13:56 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-04-06 22:50 . 2005-12-12 13:00 8,192 --a------ C:\WINDOWS\system32\dllcache\staxmem.dll
2008-04-06 22:50 . 2005-12-12 13:00 7,168 --a------ C:\WINDOWS\system32\dllcache\wamregps.dll
2008-04-06 22:42 . 2008-04-06 22:42 <DIR> d--hs---- C:\WINDOWS\system32\dllcache
2008-04-06 19:43 . 2008-04-06 19:43 <DIR> d-------- C:\VundoFix Backups
2008-04-06 19:42 . 2008-04-06 19:42 <DIR> d-------- C:\Rustbfix
2008-04-06 17:31 . 2008-04-06 17:31 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-06 17:30 . 2008-04-06 10:24 <DIR> d-------- C:\SDFix
2008-04-06 17:27 . 2008-04-06 17:27 <DIR> d-------- C:\!KillBox
2008-04-06 17:23 . 2008-04-06 17:23 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-06 17:17 . 2008-04-06 17:17 <DIR> d--hs---- C:\FOUND.002
2008-04-04 00:18 . 2008-04-06 17:18 234,487,808 --a------ C:\WINDOWS\MEMORY.DMP
2008-03-29 22:28 . 2008-03-29 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 22:26 . 2008-03-29 22:26 <DIR> d-------- C:\Program Files\Trojan Remover
2008-03-29 22:26 . 2008-03-29 22:26 <DIR> d-------- C:\Documents and Settings\m.saleem\Application Data\Simply Super Software
2008-03-29 22:26 . 2008-03-29 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-03-29 22:26 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-03-29 22:26 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-03-29 22:26 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-03-29 22:26 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-03-28 11:27 . 2008-04-06 23:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-28 11:27 . 2008-03-28 11:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-26 16:25 . 2008-03-26 16:25 <DIR> d--hs---- C:\FOUND.001
2008-03-17 13:26 . 2008-03-17 13:26 <DIR> d--hs---- C:\FOUND.000
2008-03-16 15:14 . 2008-03-16 15:14 <DIR> d-------- C:\Program Files\iTunes
2008-03-16 15:11 . 2008-03-16 15:11 <DIR> d-------- C:\Program Files\Bonjour
2008-03-16 15:10 . 2008-03-16 15:10 <DIR> d-------- C:\Program Files\QuickTime
2008-03-16 15:05 . 2008-03-16 15:05 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-16 15:03 . 2008-03-16 15:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-16 15:03 . 2008-03-16 15:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 16:02 53,192 ----a-w C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-03-04 10:58 44,032 ----a-w C:\winfyxq.exe
2008-02-23 17:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Virgin Broadband
2008-02-17 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-02-12 17:44 401,058 ----a-w C:\WINDOWS\system32\asmaa Allah.scr
2008-02-10 22:38 --------- d-----w C:\Program Files\Common Files\Java
.

------- Sigcheck -------

2005-12-12 12:00 671744 c98acbd1ab8323b66dfa96f4763c67e2 C:\WINDOWS\system32\wininet.dll
2006-03-04 04:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-10 06:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 12:25 664576 64ce26db72810b30f7855ea51e1df836 C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
2004-08-04 08:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\wininet.dll

2005-12-12 12:00 359936 780fe678dde99b809e8336fb74d587a1 C:\WINDOWS\system32\drivers\tcpip.sys
2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\tcpip.sys

2005-12-12 12:00 1182720 320d5b5f235810a265339c483ab76b15 C:\WINDOWS\explorer.exe
2004-08-04 08:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2005-12-12 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 18:49 2061552]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 14:10 310000]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 14:10 13552]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-03-27 18:10 874064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windoxs Update Center"="W32RfSA.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2005-12-12 12:00 15360]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-09-17 18:04:00 121856]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2005-10-09 22:27:26 135680]
ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2006-07-01 15:05:27 475136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ScanPanel.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanPanel.lnk
backup=C:\WINDOWS\pss\ScanPanel.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boots Insert Detect]
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
C:\Program Files\BraveSentry\BraveSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Explorer]
C:\WINDOWS\iexplorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 06:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 06:31 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWFX6_0001_N68M2301]
C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 06:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 06:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-06-05 17:00 208941 C:\Program Files\Real\RealOne Player\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
-ra------ 2002-07-12 02:15 106496 C:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
C:\WINDOWS\system32\wind32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemSv121]
C:\WINDOWS\system32\n2ewma1xxsv2234.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-05 17:00 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windoxs Update Center]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
--------- 2004-06-08 18:33 69721 C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SonicStage Back-End Service"=3 (0x3)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\mqsvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealOne Player\\TRUEPLAY.EXE"=
"C:\\Program Files\\ZyDAS Technology Corporation\\ZyDAS_802.11g_Utility\\ZDWlan.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealOne Player\\RealPlay.exe"=
"C:\\Program Files\\Datel\\PSP WIFI Max\\PSPWM.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-08-17 14:43]
S3 ADPK;TRUST [email protected] 300S;C:\WINDOWS\system32\Drivers\SQcaptur.sys [2002-05-06 13:58]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 18:44]
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2005-12-12 12:00]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-01-24 15:38]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-01-24 15:38]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-01-24 15:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-16 14:05:32 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 20:25:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-08 20:26:41
ComboFix-quarantined-files.txt 2008-04-08 19:26:38
Pre-Run: 3,661,938,688 bytes free
Post-Run: 3,652,239,360 bytes free
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
If you still need help post a new hijackthis log and make sure it's in normal mode, not safe mode.
 

omar_s1

Thread Starter
Joined
Apr 8, 2008
Messages
3
I tried to do a new hijack this log yesterday, but windows is refusing to load in any mode. When I tried to boot via disk I get the recovery console and also a windows installation screen which gives me the option to repair. If I do a new windows installation will it wipe the contents of my hard-drive?

Also I have two hard-drives on my pc. The infected one is partitioned into C & D drives. I also have an F drive which I can boot up, but that has a different windows installation on it and is working fine. I just need to get into the C/D operating drive. Any advice would be greatly appreciated, thanks.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
If you do a repair the data should be ok but you will have to reinstall your applications.
Can you boot to the F: drive and save your data to that drive so you can format and reload the c: drive?
 

omar_s1

Thread Starter
Joined
Apr 8, 2008
Messages
3
Done. Sometimes the simplest solutions are the best :)

Do you need me to post another Hijack this log just to be certain its all clear? Everything does seem to be running fine. Also one other question, I was using Virgin Pcguard for antivirus and firewall, which I believe is produced by Authentium, am I ok sticking with that or would you recommend a better product?

Thanks.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top