HJT log after directions were given. Please read!! - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Oct 8^th, 2008, 5:57am

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   HJT log after directions were given. Please read!!

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: HJT log after directions were given. Please read!! (Read 1619 times)

gurdeep
Newbie

Posts: 29

HJT log after directions were given. Please read!!
« on: Jun 2^nd, 2007, 2:08am »

Quote

Modify

scanned my computer with the directions i was given. thanks a bunch guys, i think it worked. but I'm still wondering if my computer is in the green after all of those scans. if worse comes to worse i can always reformat my master because its fairly new. thank for your time.

Logfile of HijackThis v1.99.1
Scan saved at 11:57:15 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\smgr.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\GURDEEP\Desktop\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {89909F19-DB5F-46C0-B7FE-5E380D57EFBA} - C:\WINDOWS\system32\nnnlm.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [ECS CLOCK] C:\WINDOWS\system32\ecsclock.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnlm - C:\WINDOWS\system32\nnnlm.dll
O20 - Winlogon Notify: winipp32 - winipp32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: __c008C0C4 - C:\WINDOWS\system32\__c008C0C4.dat
O20 - Winlogon Notify: �
x
�

- �
x
�

(file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

IP Logged

gurdeep
Newbie

Posts: 29

Re: HJT log after directions were given. Please re
« Reply #1 on: Jun 2^nd, 2007, 2:10am »

Quote

Modify

Logfile of HijackThis v1.99.1
Scan saved at 12:10:09 AM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\smgr.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\GURDEEP\Desktop\New Folder (2)\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {89909F19-DB5F-46C0-B7FE-5E380D57EFBA} - C:\WINDOWS\system32\nnnlm.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [ECS CLOCK] C:\WINDOWS\system32\ecsclock.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnlm - C:\WINDOWS\system32\nnnlm.dll
O20 - Winlogon Notify: winipp32 - winipp32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: __c008C0C4 - C:\WINDOWS\system32\__c008C0C4.dat
O20 - Winlogon Notify: �x� - �x� (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5662

Re: HJT log after directions were given. Please re
« Reply #2 on: Jun 2^nd, 2007, 2:35am »

Quote

Modify

There is still an infection. �The file nnnlm.dll is a Vundo infection. �Please go to the Symantec link below and run the Vundo removal tool as per the instructions. �Then post a new HJT scan log back here so we can see if the removal was successful. �

http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210- 3747-99

On second thought, the VundoFix.exe 6.4.1 at the link below is probably a more up-to-date fixer. Please use it.

http://www.softpedia.com/get/Antivirus/VundoFix.shtml

« Last Edit: Jun 2^nd, 2007, 4:27am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5662

Re: HJT log after directions were given. Please re
« Reply #3 on: Jun 2^nd, 2007, 2:52am »

Quote

Modify

Also, Would you please submit the following file to Mischel Internet Security for analysis.

__c008C0C4.dat

The link below describes how to submit a file:

http://www.misec.net/forum/board/FAQ/1139308293

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

gurdeep
Newbie

Posts: 29

Re: HJT log after directions were given. Please re
« Reply #4 on: Jun 2^nd, 2007, 4:37pm »

Quote

Modify

hey its me again. thanks for checking that over. i checked my computer with the symantec and the vundo fix and im pretty sure it deleted the vundo and several others. here is the log from HJT. thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 2:20:31 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\smgr.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\GURDEEP\Desktop\New Folder (2)\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {717A61B8-ED2C-42E6-B9EF-75161085DB85} - C:\WINDOWS\system32\nnnlm.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [ECS CLOCK] C:\WINDOWS\system32\ecsclock.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winipp32 - winipp32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: __c008C0C4 - C:\WINDOWS\system32\__c008C0C4.dat
O20 - Winlogon Notify: �
x
�

- �
x
�

(file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5662

Re: HJT log after directions were given. Please re
« Reply #5 on: Jun 2^nd, 2007, 11:16pm »

Quote

Modify

Yep, it looks like the Vundo infection was cleaned. Please do the following now.

1. Run another HiJackthis scan.

2. When the scan is completed, place a checkmark in the box next to each of the items below. BE SURE these are the only items check marked.

O2 - BHO: (no name) - {717A61B8-ED2C-42E6-B9EF-75161085DB85} - C:\WINDOWS\system32\nnnlm.dll (file missing)

O20 - Winlogon Notify: winipp32 - winipp32.dll (file missing)

O20 - Winlogon Notify: �x� - �x� (file missing)

3. Click on Fix Checked on the lower left of the HJT window and let it fix the above items.

4. Reboot your computer.

5. Post a new HJT scan log for review.

NOTE: I am still concerned about the entry below. Did you submit the file as requested in my previous post?

O20 - Winlogon Notify: __c008C0C4 - C:\WINDOWS\system32\__c008C0C4.dat

In addition, your System Restore is most likely infected. The only way to clean it is to turn off System Restore, reboot, and then turn on System Restore again. The link below provides steps to do this if you do not know how.

http://www.misec.net/forum/board/FAQ/1139255588

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

gurdeep
Newbie

Posts: 29

Re: HJT log after directions were given. Please re
« Reply #6 on: Jun 3^rd, 2007, 12:11am »

Quote

Modify

hey thanks again. i did what u said and heres the HJT log. and i was just going to report the file you told me to report. thanks a bunch.

Logfile of HijackThis v1.99.1
Scan saved at 10:04:13 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\smgr.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\GURDEEP\LOCALS~1\Temp\hostmon.exe
C:\WINDOWS\avp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\GURDEEP\Desktop\New Folder (2)\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [ECS CLOCK] C:\WINDOWS\system32\ecsclock.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: __c008C0C4 - C:\WINDOWS\system32\__c008C0C4.dat
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5662

Re: HJT log after directions were given. Please re
« Reply #7 on: Jun 3^rd, 2007, 12:49am »

Quote

Modify

There are two NEW items showing up in this HJT log. They are:

C:\DOCUME~1\GURDEEP\LOCALS~1\Temp\hostmon.exe
C:\WINDOWS\avp.exe

Typically avp.exe is associated with Kaspersky AV; HOWEVER, it should not be in the C:\Windows folder. There is a worm named avp.exe. Would you please run AVP.exe through VirusTotal and see if it reports that this file is bad.

http://www.virustotal.com/en/indexf.html

Also submit the file to Mischel Internet Security for analysis.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Gavin_Coe
Trojan Analyst

Posts: 2038

Re: HJT log after directions were given. Please re
« Reply #8 on: Jun 3^rd, 2007, 2:38pm »

Quote

Modify

Yes they look like malware.. the first file received and is malware, and some detection from the log added too Wink

thanks!

IP Logged

gurdeep
Newbie

Posts: 29

Re: HJT log after directions were given. Please re
« Reply #9 on: Jun 3^rd, 2007, 5:26pm »

Quote

Modify

This is what virus total came up with. i didn't know what to do next. i submitted the avp.exe file but not the other one because
ccleaner got rid of it. i have also posted a recent HJT log because i didn't know how to get rid of the __c008C0C4. thanks a bunch.

http://www.virustotal.com/vt/en/resultadof?52af17e871b39a231e43d36b7ed85 be2

Complete scanning result of "abc5026def.exe", received in VirusTotal at 06.03.2007, 23:50:38 (CET).

Antivirus
Version
Update
Result
AhnLab-V3
2007.5.31.2
06.01.2007
Win-Trojan/Alphabet.18944
AntiVir
7.4.0.29
06.03.2007
TR/AVKiller.18944
Authentium
4.93.8
05.23.2007
no virus found
Avast
4.7.997.0
06.01.2007
Win32:Alphabet
AVG
7.5.0.467
06.03.2007
Downloader.Generic4.STM
BitDefender
7.2
06.03.2007
BehavesLike:Win32.AV-Killer
CAT-QuickHeal
9.00
06.02.2007
(Suspicious) - DNAScan
ClamAV
devel-20070416
06.03.2007
no virus found
DrWeb
4.33
06.03.2007
Trojan.MulDrop.6389
eSafe
7.0.15.0
06.03.2007
Win32.Alphabet.b
eTrust-Vet
30.7.3688
06.03.2007
no virus found
Ewido
4.0
06.03.2007
Downloader.Alphabet.b
FileAdvisor
1
06.03.2007
no virus found
Fortinet
2.85.0.0
06.02.2007
W32/Alphabet.B!tr.dldr
F-Prot
4.3.2.48
06.01.2007
no virus found
F-Secure
6.70.13030.0
06.03.2007
Trojan-Downloader.Win32.Alphabet.b
Ikarus
T3.1.1.8
06.03.2007
Trojan-Downloader.Win32.Alphabet.b
Kaspersky
4.0.2.24
06.03.2007
Trojan-Downloader.Win32.Alphabet.b
McAfee
5044
06.01.2007
no virus found
Microsoft
1.2503
06.03.2007
no virus found
NOD32v2
2305
06.01.2007
probably unknown NewHeur_PE virus
Norman
5.80.02
06.01.2007
W32/DLoader.CVMB
Panda
9.0.0.4
06.03.2007
Adware/DriveCleaner
Prevx1
V2
06.03.2007
Malicious
Sophos
4.18.0
06.01.2007
no virus found
Sunbelt
2.2.907.0
05.30.2007
Scam.Iwin
Symantec
10
06.03.2007
no virus found
TheHacker
6.1.6.128
05.31.2007
Trojan/Downloader.Alphabet.b
VBA32
3.12.0
06.03.2007
Trojan-Downloader.Win32.Alphabet.b
VirusBuster
4.3.23:9
06.03.2007
Trojan.DL.Alphabet.X
Webwasher-Gateway
6.0.1
06.03.2007
Trojan.AVKiller.18944

Aditional Information
File size: 18944 bytes
MD5: ff627bec4328f6896ec56f2fb7117bda
SHA1: 68f49b613859b68e1e5274a8d1b7155da3704d08
packers: PECompact, PECompact
packers: PECOMPACT
packers: embedded, PecBundle, PECompact
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=351797979748
Sunbelt info: Scam.Iwin is created by an infected Windows Meta File (WMF) that is downloaded through an exploit for the purpose of transmitting false clicks to internet URLs.

Logfile of HijackThis v1.99.1
Scan saved at 3:24:29 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\GURDEEP\Desktop\New Folder (2)\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [ECS CLOCK] C:\WINDOWS\system32\ecsclock.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: __c008C0C4 - C:\WINDOWS\system32\__c008C0C4.dat
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5662

Re: HJT log after directions were given. Please re
« Reply #10 on: Jun 4^th, 2007, 12:09am »

Quote

Modify

Let's try this:

1. �Download the latest rulesets for TrojanHunter. �If you do not have a licensed TrojanHunter, download the rulesets manually as per the link below.

http://www.misec.net/trojanhunter/updating/

2. �Reboot your computer into SAFE MODE.

3. �Run a FULL scan with TrojanHunter and let it clean what it finds.

4. �Run a HiJackthis scan.

5. �When the scan is completed, place a check mark next to

O20 - Winlogon Notify: __c008C0C4 - C:\WINDOWS\system32\__c008C0C4.dat

and click on Fix Checked. �Let HJT fix the item. �

6. �Close HJT.

7. �Reboot back into Normal Mode

8. �Run another HJT scan and post the log. �

I notice that AVP.EXE is not showing up in your HJT log. �Did you remove it via a security scanner or what?

« Last Edit: Jun 4^th, 2007, 12:14am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

gurdeep
Newbie

Posts: 29

Re: HJT log after directions were given. Please re
« Reply #11 on: Jun 4^th, 2007, 12:25am »

Quote

Modify

thanx. ill do that as soon as i get the chance cuz i dont have access to that computer right now. um i think its not there because it showed up im my webroot spysweeper scan so i think that deleted it. and now ever so often spysweeper comes up when im connected to the net and asks me if i want to block the istallation of avp.exe and i always click block. ill post that HJT log asap. thanx.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5662

Re: HJT log after directions were given. Please re
« Reply #12 on: Jun 4^th, 2007, 1:09am »

Quote

Modify

NOTE:

Some other bad things are showing up in this latest HJT log.

Please submit the following two files for analysis:

smanager.7.exe
smgr.exe

I'm not sure that smgr.exe is bad; HOWEVER, smanager.7.exe is a trojan that is now showing up on your system. �Something appears to be downloading/installing infectious software on your system because smanager.7.exe was not showing up prior to this latest HJT scan post.

After you do what I posted before and reboot back into Normal Mode, please run a TOTAL system remote scan by Kaspersky at the following link.

http://www.kaspersky.com/virusscanner

BE SURE that SpySweeper and any other security program other than your FireWall are disabled prior to running the Kaspersky scan. �You will need to access the Kaspersky site with IE because it requires that an ActiveX module be installed. �Let Kaspersky install the ActiveX component so that it can scan. �Please post the results of the Kaspersky scan.

Then go to the link below and download/install/run Blacklight rootkit detector. �Be sure to download only Blacklight, not the F-Secure Internet Security 2007. �

http://www.f-secure.com/blacklight/blacklight.html

Please post the results of the Blacklight rootkit scan. �

« Last Edit: Jun 4^th, 2007, 1:10am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

gurdeep
Newbie

Posts: 29

Re: HJT log after directions were given. Please re
« Reply #13 on: Jun 4^th, 2007, 6:46pm »

Quote

Modify

Logfile of HijackThis v1.99.1
Scan saved at 4:46:08 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\GURDEEP\Desktop\New Folder (2)\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [ECS CLOCK] C:\WINDOWS\system32\ecsclock.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: __c008C0C4 - C:\WINDOWS\system32\__c008C0C4.dat
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

IP Logged

gurdeep
Newbie

Posts: 29

Re: HJT log after directions were given. Please re
« Reply #14 on: Jun 4^th, 2007, 7:43pm »

Quote

Modify

------------------------------------------------------------------------ -------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 04, 2007 5:42:02 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/06/2007
Kaspersky Anti-Virus database records: 339618
------------------------------------------------------------------------ -------

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: false

Scan Target - Critical Areas:

C:\WINDOWS

C:\DOCUME~1\GURDEEP\LOCALS~1\Temp\

Scan Statistics:

Total number of scanned objects: 13502

Number of viruses found: 5

Number of infected objects: 6 / 0

Number of suspicious objects: 3

Duration of the scan process: 00:09:50

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\abc5026def.exe
Infected: Trojan-Downloader.Win32.Alphabet.b
skipped
C:\WINDOWS\btn5026v7.exe
Infected: Trojan-Downloader.Win32.Alphabet.b
skipped
C:\WINDOWS\Debug\PASSWD.LOG
Object is locked
skipped
C:\WINDOWS\SchedLgU.Txt
Object is locked
skipped
C:\WINDOWS\services.dll
Infected: Trojan-Downloader.Win32.Agent.bhg
skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
Object is locked
skipped
C:\WINDOWS\Sti_Trace.log
Object is locked
skipped
C:\WINDOWS\system32\CatRoot2\edb.log
Object is locked
skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb
Object is locked
skipped
C:\WINDOWS\system32\config\Antivirus.Evt
Object is locked
skipped
C:\WINDOWS\system32\config\AppEvent.Evt
Object is locked
skipped
C:\WINDOWS\system32\config\default
Object is locked
skipped
C:\WINDOWS\system32\config\DEFAULT.LOG
Object is locked
skipped
C:\WINDOWS\system32\config\SAM
Object is locked
skipped
C:\WINDOWS\system32\config\SAM.LOG
Object is locked
skipped
C:\WINDOWS\system32\config\SecEvent.Evt
Object is locked
skipped
C:\WINDOWS\system32\config\SECURITY
Object is locked
skipped
C:\WINDOWS\system32\config\SECURITY.LOG
Object is locked
skipped
C:\WINDOWS\system32\config\software
Object is locked
skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG
Object is locked
skipped
C:\WINDOWS\system32\config\SysEvent.Evt
Object is locked
skipped
C:\WINDOWS\system32\config\system
Object is locked
skipped
C:\WINDOWS\system32\config\SYSTEM.LOG
Object is locked
skipped
C:\WINDOWS\system32\h323log.txt
Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
Object is locked
skipped
C:\WINDOWS\system32\xpdt.sys
Object is locked
skipped
C:\WINDOWS\system32\xpdx.sys
Object is locked
skipped
C:\WINDOWS\system32\__c001CAEE.dat
Suspicious: Packed.Win32.Morphine.a
skipped
C:\WINDOWS\system32\__c008C0C4.dat
Suspicious: Packed.Win32.Morphine.a
skipped
C:\WINDOWS\system32\__c009B944.dat
Suspicious: Packed.Win32.Morphine.a
skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4c0.dat
Object is locked
skipped
C:\WINDOWS\Temp\startdrv.exe
Infected: Trojan-Dropper.Win32.Agent.bie
skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt
Object is locked
skipped
C:\WINDOWS\wiadebug.log
Object is locked
skipped
C:\WINDOWS\wiaservc.log
Object is locked
skipped
C:\WINDOWS\win32.exe
Infected: Packed.Win32.Tibs.z
skipped
C:\WINDOWS\win32.exe~
Infected: Packed.Win32.Tibs.z
skipped
C:\WINDOWS\WindowsUpdate.log
Object is locked
skipped

Scan process completed.

IP Logged

Pages: 1 2

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register