autoexec.bat BV:malware-gen

Hello, i am trying to find a solution for this virus that i have on my computer. Avast has put it in quarantaine, but then the next day it popped up again. I’ve read here that i should download hijack this and post my log here. I am about to do this now, but my post exceeds the maximun allowed length. So i think i’ll cut my logfile up into smaller pieces.
I have no idea what the virus does, but i don’t like it a bit. I hope someone here will be able to help me. Thanks in advance!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:16:33, on 6-4-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\lsass.exe
C:\WINDOWS\system32\wordpad.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\PROGRA~1\GOOGLE~1\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM..\Run: [SonyPowerCfg] “C:\Program Files\Sony\VAIO Power Management\SPMgr.exe”
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM..\Run: [VAIO Update 2] “C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe” /Stationary
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [lsass] C:\windows\system\lsass.exe
O4 - HKLM..\Run: [taskmgra] C:\WINDOWS\system32\wordpad.exe
O4 - HKLM..\Run: [explorer] C:\WINDOWS\system32\explori.exe
O4 - HKCU..\Run: [BitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Lokale service’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Netwerkservice’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add RSS Support Site to VAIO Information FLOW - C:\Program Files\Sony\VAIO Information FLOW\aiesc.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe


End of file - 12618 bytes

can please please somebody help me?
thanks so much!!

you can fix this item probably

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

but wait for a confirmation from someone else :wink:

Hi niekoolien,

You can find your hijackthis analysis here:
http://www.hijackthis.de/logfiles/7fceff8825345bd0c3f31a397c0a7a42.html

Check the following finds (lsass.exe & wordpad.exe & explori.exe) through uploading here: http://www.virustotal.com/
then report the findings in your next posting:

The following items could be fixed if you update the files to virustotal, and they are found to be malicious:

C:\windows\system\lsass.exe - This entry is not running from the System32 folder, so it is probably nasty.Possibly nasty! According to our database this process runs normally in c:\windows\system32! Check if you know this process and arrange a viruscheck where required. This process is not running from the System32 folder as it is supposed to be.
[Y] C:\WINDOWS\system32\wordpad.exe - Possibly nasty! According to our database this process runs normally in c:\programme\windows nt\accessories! Check if you know this process and arrange a viruscheck where required.

The following could be fixed, after you update the files to virustotal and
lsass.exe, explori.exe are found to be malicious:

[N] O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) - Unnecessary (deactivated) entry that can be fixed. This entry was classified from our visitors as good.
O4 - HKLM..\Run: [lsass] C:\windows\system\lsass.exe - Must be fixed! Added by the VOUMIT-A WORM! Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in
O4 - HKLM..\Run: [explorer] C:\WINDOWS\system32\explori.exe - Fuzzy Algorithmcheck (1.99 / 5.00), Nasty

polonus

[list]Hi niekolien,

In case you have an additional autorun infection, do the following:

Now to cure your autoruns infection:

Download and Install Microsoft’s TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay – except your CD/DVD drive letters

This will prevent autoruns from running on your computer. Make sure you uncheck all drive letters in the list, except your cd/dvd.

Download “Clean Autoruns”:From HERE

http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip

Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.

Please post those

Now to protect those drives, I will need you to down load and run this program.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

This utility will do a couple of things. First it will remove any autorun.inf it finds. It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart,

And finally:
Please download ATF Cleaner by Atribune from here: http://www.majorgeeks.com/downloadget.php?id=4949&file=10&evp=72ef5a5e927b2276e6a5bc34c89d005a
This program is for XP and Windows 2000 only

  Double-click 

ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser

  Click 

Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[/list]If you use Opera browser

  Click 

Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

polonus

thank you so much!
i’ve uploaded those two tings to virustotal and it said this:

Bestand lsass.exe_ ontvangen op 2007.11.28 16:02:57 (CET)
Huidig status: Einde

Resultaat: 20/32 (62.50%)
Geformatteerd Resultaten afdrukken
Antivirus Versie Laatst geüpdatet Resultaat
AhnLab-V3 - - Win32/Parite
AntiVir - - TR/Spy.Banker.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - Win32.Parite.B
CAT-QuickHeal - - -
ClamAV - - PUA.Packed.TeLock
DrWeb - - Win32.Parite.2
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - Win32/Pinfi.A
Ewido - - -
F-Prot - - -
F-Secure - - Virus.Win32.Parite.b
FileAdvisor - - -
Fortinet - - -
Ikarus - - Trojan-Downloader.Win32.Banload.auf
Kaspersky - - Virus.Win32.Parite.b
McAfee - - W32/Pate.b
Microsoft - - Virus:Win32/Parite.B
NOD32v2 - - Win32/Parite.B
Norman - - -
Panda - - W32/Parite.B
Prevx1 - - -
Rising - - Win32.Parite.b
Sophos - - W32/Parite-B
Sunbelt - - VIPRE.Suspicious
Symantec - - -
TheHacker - - W32/Behav-Heuristic-066
VBA32 - - Win32.Parite.B
VirusBuster - - -
Webwasher-Gateway - - Trojan.Spy.Banker.Gen
Extra informatie
MD5: 329de40d6ac103c715d65e27326d4964
SHA1: 25927dfa7cf3c87106f533e38cc556499b7aecb3
SHA256: 283d23a36b4b5db160dffe1dbde5aca8c2127aff52e3b452e260fc3e9dd73a1a
SHA512: 87e9a394670531b08c349280bef6c8378645ec909ac7662631de599f2cda97c211a7239cd675a9a1dff488d7811b7ece76b72b13c70ec49a4b4ffca3c67b263a

Bestand wordpad.exe_ ontvangen op 2007.11.29 08:39:22 (CET)
Huidig status: Einde

Resultaat: 15/32 (46.88%)
Geformatteerd Resultaten afdrukken
Antivirus Versie Laatst geüpdatet Resultaat
AhnLab-V3 - - -
AntiVir - - TR/Crypt.CFI.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - PUA.Packed.TeLock
DrWeb - - modification of Win32.HLLM.Generic.423
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - Email-Worm.Win32.VB.cy
FileAdvisor - - -
Fortinet - - -
Ikarus - - -
Kaspersky - - Email-Worm.Win32.VB.cy
McAfee - - -
Microsoft - - -
NOD32v2 - - probably a variant of Win32/Genetik
Norman - - -
Panda - - Trj/Dadobra.AHA
Prevx1 - - Heuristic: Suspicious Self Modifying EXE
Rising - - -
Sophos - - Mal/Heuri-D
Sunbelt - - VIPRE.Suspicious
Symantec - - -
TheHacker - - W32/Behav-Heuristic-066
VBA32 - - suspected of Trojan-Spy.xBank.8
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.CFI.Gen
Extra informatie
MD5: 2040aa1682a67d9885e5b2624f516d81
SHA1: c3a4905114fc902ab11d98b4b48cd93223b3cfed
SHA256: 2bfa2660753fa821521fab0b3175126ce605351484cdee52e5479889ee6af6ef
SHA512: d351bcf480e18f9ed54e9ac3dc4b11530b3841725c69a13680183763bb571f996576153b3285dc9cb9e322fc57212d39f3c6847921a24d78d91236b84b468400

I don’t know exactly what you last post says, but i’m gonna read it thoroughly now and do what you say
thanks again!

part 1 of the clean autoruns exceeds the maximum allowed length so much, i think i have to cut it up into many pieces to be able to post it here, i can’t even think how many pieces, it’s a really big notepadfile.
my computer already feels a lot cleaner tho.
should i email those 2 parts to you or something?

in the end of both of the reports it says this:

Part1 Report
di 08-04-2008 2:43:58,21

No Autorun files found in C:\WINDOWS

No Autorun files found in C:\WINDOWS\system32

No Autorun files found in root of C:

No Autorun files found in root of D:

No Autorun files found in root of E:

and in the other one:

Part2 Report
di 08-04-2008 2:43:58,89

No Autorun files found in C:\WINDOWS

No Autorun files found in C:\WINDOWS\system32

No Autorun files found in root of C:

No Autorun files found in root of D:

No Autorun files found in root of E:

so i guess that’s pretty good.
is the virus gone you think?

No, don’t think so. Polonus is probably asleep, it’s late where he is, so I’ll give a hand 'til he gets back.

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[
]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Thanks again for helping me. how does this combofix work exactly?
i’ve disabled avast and tried running it, but nothing happened. i just saw a blue screen pop up for maybe a second and then nothing.
then i’ve looked further through my computer and decided to also shut down the windows firewall and try running it again, but the same thing. i don’t think combifix is running on my computer.
i did save it directly onto my desktop but i wasn’t disconnected from the internet once, and i didn’t see anything happening.
anyway i’ve started avast and the firewall again untill someone can explain this further to me.

am i an idiot?

No, it sounds like you have followed the instructions to the letter. It may be a corrupt download or possibly malware that is preventing combofix from running correctly, What you should get is a blue interface. It seems like it is starting then exiting.

Please delete the copy of combofix from your desktop, then download a new copy with these instructions.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

i want to download the programme and run it, but either link you gave me doesnt work for me.
any onther place i can find it?

okay it worked!!
this is the combofix log (2parts):

ComboFix 08-04-07.5 - Nicoline 2008-04-08 15:55:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.203 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\Nicoline\Bureaublad\Combo-Fix.exe

  • Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nicoline\Application Data\macromedia\Flash Player#SharedObjects\N4F2XQBR\iforex.com
C:\Documents and Settings\Nicoline\Application Data\macromedia\Flash Player#SharedObjects\N4F2XQBR\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Nicoline\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#iforex.com
C:\Documents and Settings\Nicoline\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#iforex.com\settings.sol
C:\WINDOWS\svchosts.exe
C:\WINDOWS\system32\wordpad.exe

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-03-08 to 2008-04-08 ))))))))))))))))))))))))))))))
.

2008-04-08 12:46 . 2008-04-08 12:46 d-------- C:\ComboFix
2008-04-08 02:41 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-04-08 02:41 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-04-06 14:15 . 2008-04-06 14:15 d-------- C:\Program Files\Trend Micro
2008-04-03 22:29 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-03 22:29 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-02 01:40 . 2008-04-02 01:40 96,577 --a------ C:\WINDOWS\hpqins16.dat
2008-04-01 19:46 . 2008-04-01 19:53 d-------- C:\Program Files\MSECache
2008-03-27 12:09 . 2008-04-08 12:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-27 12:09 . 2008-03-27 12:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-23 13:31 . 2008-03-23 13:31 909 --a------ C:\WINDOWS\system32\explori.exe
2008-03-10 12:58 . 2008-03-10 12:58 d-------- C:\Documents and Settings\Nicoline\Application Data\Sonic
2008-03-10 12:57 . 2008-03-10 12:57 d-------- C:\Documents and Settings\Nicoline\Application Data\Leadertech

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 01:04 --------- d-----w C:\Documents and Settings\Nicoline\Application Data\Skype
2008-04-04 12:01 --------- d-----w C:\Documents and Settings\Nicoline\Application Data\uTorrent
2008-04-03 13:08 --------- d-----w C:\Program Files\Soulseek
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2008-01-28 09:11 508,149 ----a-w C:\WINDOWS\system32\imagens11.exe
2008-01-28 09:11 22,528 ----a-w C:\WINDOWS\system32\Partizan.exe

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
Nota lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BitTorrent”=“C:\Program Files\BitTorrent\bittorrent.exe”
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-11 17:56 68856]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-09-02 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Apoint”=“C:\Program Files\Apoint\Apoint.exe” [2004-11-17 13:47 118784]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-08-17 22:40 64512]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2006-04-05 04:21 94208]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2006-04-05 04:21 77824]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2006-04-05 04:21 118784]
“SkyTel”=“SkyTel.EXE” [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
“AzMixerSel”=“C:\Program Files\Realtek\InstallShield\AzMixerSel.exe” [2005-08-25 07:21 53248]
“Mouse Suite 98 Daemon”=“ICO.EXE” [2002-03-14 16:46 45056 C:\WINDOWS\system32\ico.exe]
“SonyPowerCfg”=“C:\Program Files\Sony\VAIO Power Management\SPMgr.exe” [2006-08-10 15:17 217088]
“ISBMgr.exe”=“C:\Program Files\Sony\ISB Utility\ISBMgr.exe” [2004-02-20 14:12 32768]
“Switcher.exe”=“C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe” [2006-02-14 12:11 176128]
“VAIO Update 2”=“C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe” [2005-10-11 21:36 151552]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-03-29 19:37 79224]
“UVS10 Preload”=“C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe” [2006-03-07 01:52 36864]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 03:41 49152]
“PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2007-03-23 13:20 227328]
“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2007-07-30 15:06 1836544]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-06-29 06:24 286720]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-09-26 14:42 267064]
“taskmgra”=“C:\WINDOWS\system32\wordpad.exe”

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-09-02 14:00 15360]
“Nokia.PCSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2007-03-27 15:58 1744896]

C:\Documents and Settings\All Users\Menu Start\Programma’s\Opstarten
Adobe Reader Snelle start.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2006-06-20 16:11 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.dvsd”= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
“msacm.dvacm”= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
“msacm.MPEGacm”= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
“msacm.ulmp3acm”= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\Soulseek\slsk.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\Messenger\msmsgs.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hposid01.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe”=
“C:\Program Files\MSN Messenger\msnmsgr.exe”=
“C:\Program Files\MSN Messenger\livecall.exe”=
“C:\Program Files\iTunes\iTunes.exe”=
“C:\Program Files\mIRC\mirc.exe”=
“C:\Program Files\uTorrent\uTorrent.exe”=
“C:\Program Files\12Voip.com\12Voip\12Voip.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“5353:UDP”= 5353:UDP:Bonjour
“6881:TCP”= 6881:TCP:bittorrent
“7000:TCP”= 7000:TCP:irc
“6667:TCP”= 6667:TCP:irc
“54321:UDP”= 54321:UDP:utorrent
“54321:TCP”= 54321:TCP:utorrent
“40231:TCP”= 40231:TCP:utorrent

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 18:26]
R3 ti21sony;ti21sony;C:\WINDOWS\system32\drivers\ti21sony.sys [2006-02-21 11:32]
S3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2002-04-11 17:43]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\Image Converter 2\IcVzMon.exe [2005-07-14 20:10]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 18:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3574c242-3f88-11dc-b6c0-0013a97e6eac}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{46ec231c-6b49-11dc-b6f9-0016cf6a96a0}]
\Shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{46ec231e-6b49-11dc-b6f9-0016cf6a96a0}]
\Shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{46ec231f-6b49-11dc-b6f9-0016cf6a96a0}]
\Shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ea89367d-f0be-11db-b61c-904bc0495dce}]
\Shell\AutoRun\command - H:\autoRcd.exe

.
Inhoud van de ‘Gedeelde Taken’ map
“2008-01-23 19:20:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 15:57:19
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen …

scannen van verborgen autostart items …

scannen van verborgen bestanden …

Scan succesvol afgerond
verborgen bestanden: 0


.
Voltooingstijd: 2008-04-08 15:57:46
ComboFix-quarantined-files.txt 2008-04-08 13:57:37
Pre-Run: 3,461,906,432 bytes beschikbaar
Post-Run: 3,450,789,888 bytes beschikbaar
.
2008-03-22 22:31:00 — E O F —

and this is the hijack this log (also 2 parts):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:01:25, on 8-4-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\PROGRA~1\GOOGLE~1\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM..\Run: [SonyPowerCfg] “C:\Program Files\Sony\VAIO Power Management\SPMgr.exe”
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM..\Run: [VAIO Update 2] “C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe” /Stationary
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [taskmgra] C:\WINDOWS\system32\wordpad.exe
O4 - HKCU..\Run: [BitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Lokale service’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Netwerkservice’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add RSS Support Site to VAIO Information FLOW - C:\Program Files\Sony\VAIO Information FLOW\aiesc.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe


End of file - 12083 bytes

niekoolien

I just got hit by a driveby, I’ll get back to this as soon as I’m sure my system is clean.

In the meantime, please change ALL your password to any type of account or forum that you log into. Please do this from a know clean computer. Do not use the one that we are cleaning.

Thanks

Hi, I’m back. Again, please change all passwords from a clean machine. do not do any banking from this computer.

Let’s try to clear this up first, then work on the autorun.

Dwonload Bankerfix from this link and save t to your desktop

http://linhadefensiva.uol.com.br/dl/bankerfix

Double click the file you downloaded to run it. Click Ok and Ok again.
Clcik in the bankerfix window and hit enter.
Let the program run. When it’s done, you should see the results on the screen.

A log will be created at C:\LinhaDefensiva\relatorio.txt. Please post the contents of that log.

Here’s a rough translation of the instructions

It saves the tool in its hard disk. In case that its antivirus possesss some blockade of scripts, it is possible that it alerts that the tool is unsafe. This blockade exists because, during a time, many viruses were programmed in languages of “script”. The BankerFix also is created in this language, but it is not about a virus. Of any form, the antivirus will be able to alert it with a message asking if you want to execute script or not. It is certifyd to allow its execution or the tool will not go to function.

He gives a double-click in bankerfix.exe If you are executing it for the first time, a message asking for to confirm the existence of connection with the InterNet you will be shown. Click in OK. When the BankerFix will be installed, a confirmation message will go to appear. Click in OK to execute it or To cancel to leave If you to execute it, a window of simple text will go to appear in the screen. It closes all the windows and programs, with exception of the Banker Fix

Click in the window of the BankerFix and presses any keyboard key. The BankerFix makes the alone remaining portion You will go to receive a message informing if no problem was found, if some problem was found and solved or if some archives infectados they could not have been removed Closes the window.

If you are able to read Portuguese, this is the link to the instructions.

http://linhadefensiva.uol.com.br/bankerfix/

Please post the Bankerfix results and a new HJT log

Thanks

Thanks for helping, i am at a different computer now and just changed all my passwords.

But this morning i wasn’t able to go online with my own computer, is it something i did with all the virusprogranmmes that i’ve been running that could have affected my computer into not being able to go online anymore, or do you think it was just a bad connection this moring or maybe even that virus i have that did it?

what kind of virus is it anyway? i’m just following all the instructions you are giving me, but i have no idea what kind of virus it is/was and what it’s doing with my computer. when i’m writing something in microsoft word my computer sometimes stutters and misses a few words i write, is this also the virus? and am i almost rid of this thing with these last steps i’m taking?

Thanks! I’ll check back tonight if i’m at home to see if my computer is able to go onto the net

Hi.

You are dealing with banker. This guy steals banking info and passwords, which is why I gave you the warning. It is prevelant in Brazil right now. Most of the removal info I can find is in Portuguese and online translater are not perfect.

Once we remove a couple of files, it should be gone, then just the autorun to deal with. That won’t take long.

Did you ever have these programs installed?

UnHackMe
or
RegRun Suite

Now connection proble, The only program that you ran was combofix and you where able to post your logs after that. So I don’t think it was anything that you ran up to that point. Did you run bankerfix before the problem started?

This could be malware related. Let’s check the usual suspects.

Do you have any type of connection such as mail, messenger? If you do check your browser and make sure it is not set to work of line. At the top of thebrowser, click file, make sure Work offline is not checked.

Check the firewall, make sure avast is not blocked. The files would be ashwebsv.exe, ashmaisv.exe, avast.setup.

If everything sems to be set right download this program

LSPfix

http://www.bleepingcomputer.com/files/lspfix.php

Download it to it’s own folder, for example C:\LSPfix

Disconnect from the internet (unplug the cable)

navigate to where you saved the file and double-click on it to start the application.

Click finish.

If possible, before you click finish, please copy the information in the left hand box (keep) and post it here.

Hopefully that will restore your connection.