I have a problem with my pc
I recently (and very stupidly) cliked on a link from one of my friends that came through MSN messanger and said something like “hey look at this pic of you” followed by a link ending in my e-mail addy
I have removed ( or so i thought) the virus and any files related to it and now get a message from avast every time i boot up saying
File: a.bat
BV:malware-gen
i clik any of the options and it says it can’t find it
Last but not least since i got this virus my computer loses control of mouse( just stays in middle of screen) and minimizes everything and i can tell that it is sending the link for the virus to all my contact on MSN
Please help
Does avast! gives the exact folder where the virus is? If so, just go to that folder, and delete that file(a.bat). It works 100% with me.
Please download HijackThis from here …
http://filehippo.com/download_hijackthis/
Download and run HijackThis and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is. Do not make any fixes until someone tell you what to fix.
yea sorry meant to attach this earlier
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:04:53, on 15/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
E:\windows\System32\smss.exe
E:\windows\system32\winlogon.exe
E:\windows\system32\services.exe
E:\windows\system32\lsass.exe
E:\windows\system32\svchost.exe
E:\windows\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\windows\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
E:\windows\system32\nvsvc32.exe
E:\windows\system32\PnkBstrA.exe
E:\windows\system32\PnkBstrB.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\windows\EXPLORER.EXE
E:\windows\system32\nvraidservice.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\WINDOWS\system32\wbem\unsecapp.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\windows\system32\RUNDLL32.EXE
E:\windows\wkssvc.exe
E:\Program Files\DAEMON Tools Lite\daemon.exe
E:\windows\system32\ctfmon.exe
E:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\PROGRA~1\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Smivs\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=EXPLORER.EXE \836846.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - E:\Program Files\Adobe/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - E:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - E:\Program Files\Adobe/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - E:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM..\Run: [NVRaidService] E:\windows\system32\nvraidservice.exe
O4 - HKLM..\Run: [GrooveMonitor] “E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [Acrobat Assistant 8.0] “E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe”
O4 - HKLM..\Run: [Adobe_ID0EYTHM] E:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM..\Run: [AsusStartupHelp] E:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe
O4 - HKLM..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] “E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE E:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE E:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NVIDIA nTune] “E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear
O4 - HKLM..\Run: [NBKeyScan] “E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
O4 - HKLM..\Run: [Windows Console] wkssvc.exe
O4 - HKCU..\Run: [DAEMON Tools Lite] “E:\Program Files\DAEMON Tools Lite\daemon.exe”
O4 - HKCU..\Run: [ctfmon.exe] E:\windows\system32\ctfmon.exe
O4 - HKCU..\Run: [NVIDIA nTune] “E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear
O4 - HKCU..\Run: [MsnMsgr] “E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [BitComet] “E:\Program Files\BitComet\BitComet.exe” /tray
O4 - HKCU..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200084797640
O17 - HKLM\System\CCS\Services\Tcpip..{FBF13A65-EA59-46C2-8C2B-03FD91B6DC84}: NameServer = 192.168.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\windows\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\windows\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\windows\system32\PnkBstrB.exe
O23 - Service: Window Image Worker (windownetpker) - Unknown owner - C:\Program Files\Internet Explorer\svchost.exe (file missing)
–
End of file - 11635 bytes
did try to delete c:\a.bat but it isnt actually there?
Looks like you may have HackerDefender
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*]Select the first option, to run Windows in Safe Mode, then press Enter.
[*]Choose your usual account.
[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Thank you
Sorry about later reply had work
here is sd fix log
SDFix: Version 1.143
Run by Smivs on 17/02/2008 at 12:10
Microsoft Windows XP [Version 5.1.2600]
Running From: E:\DOCUME~1\Smivs\Desktop\SDFix
Checking Services:
Name:
windownetpker
Path:
C:\Program Files\Internet Explorer\svchost.exe
windownetpker - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting…
Checking Files:
Trojan Files Found:
E:\windows\wkssvc.exe - Deleted
Removing Temp Files…
ADS Check:
[b][u]Final Check[/u][/b]:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 12:24:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden services & system hive …
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
“s1”=dword:2df9c43f
“s2”=dword:110480d0
“h0”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
“p0”="E:\Program Files\DAEMON Tools Lite"
“h0”=dword:00000000
“khjeh”=hex:a3,7c,00,30,59,0d,62,68,03,0b,18,b0,cb,c0,1e,69,2b,35,5b,fe,bb,…
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
“a0”=hex:20,01,00,00,13,39,11,d1,b8,97,16,28,cf,79,fc,fa,25,c2,80,ad,95,…
“khjeh”=hex:cd,a6,ee,7b,d1,cf,ca,1b,bb,ca,22,24,98,ea,a8,88,51,b9,7d,d7,a4,…
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
“khjeh”=hex:1a,98,5c,18,6e,f4,b5,fb,0a,29,01,f2,a2,4e,c7,0a,31,74,f4,76,12,…
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
“p0”="E:\Program Files\DAEMON Tools Lite"
“h0”=dword:00000000
“khjeh”=hex:a3,7c,00,30,59,0d,62,68,03,0b,18,b0,cb,c0,1e,69,2b,35,5b,fe,bb,…
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
“a0”=hex:20,01,00,00,13,39,11,d1,b8,97,16,28,cf,79,fc,fa,25,c2,80,ad,95,…
“khjeh”=hex:cd,a6,ee,7b,d1,cf,ca,1b,bb,ca,22,24,98,ea,a8,88,51,b9,7d,d7,a4,…
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
“khjeh”=hex:1a,98,5c,18,6e,f4,b5,fb,0a,29,01,f2,a2,4e,c7,0a,31,74,f4,76,12,…
scanning hidden registry entries …
scanning hidden files …
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
Remaining Services:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”="E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE::Enabled:Microsoft Office Outlook”
“E:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=“E:\Program Files\Microsoft Office\Office12\GROOVE.EXE::Enabled:Microsoft Office Groove"
“E:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”="E:\Program Files\Microsoft Office\Office12\ONENOTE.EXE::Enabled:Microsoft Office OneNote”
“E:\Program Files\Bonjour\mDNSResponder.exe”=“E:\Program Files\Bonjour\mDNSResponder.exe::Enabled:Bonjour"
“E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe”="E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe::Enabled:Adobe Version Cue CS3 Server”
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“E:\Program Files\Messenger\msmsgs.exe”="E:\Program Files\Messenger\msmsgs.exe::Enabled:Windows Messenger”
“G:\FEAR\FEAR.exe”=“G:\FEAR\FEAR.exe::Enabled:FEAR"
“G:\FEAR\FEARMP.exe”="G:\FEAR\FEARMP.exe::Enabled:FEARMP”
“E:\Program Files\Windows Live\Messenger\msnmsgr.exe”=“E:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger"
“E:\Program Files\Windows Live\Messenger\livecall.exe”="E:\Program Files\Windows Live\Messenger\livecall.exe::Enabled:Windows Live Messenger (Phone)”
“E:\WINDOWS\system32\PnkBstrA.exe”=“E:\WINDOWS\system32\PnkBstrA.exe::Enabled:PnkBstrA"
“E:\WINDOWS\system32\PnkBstrB.exe”="E:\WINDOWS\system32\PnkBstrB.exe::Enabled:PnkBstrB”
“E:\Program Files\Xfire\xfire.exe”=“E:\Program Files\Xfire\xfire.exe::Enabled:Xfire"
“E:\Program Files\BitComet\BitComet.exe”="E:\Program Files\BitComet\BitComet.exe::Enabled:BitComet - a BitTorrent Client”
“E:\Program Files\Sports Interactive\Football Manager 2008\fm.exe”="E:\Program Files\Sports Interactive\Football Manager 2008\fm.exe::Enabled:Football Manager 2008"
“E:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe”="E:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe::Enabled:Call of Duty(R) 4 - Modern Warfare™ "
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000”
“E:\Program Files\Windows Live\Messenger\msnmsgr.exe”=“E:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger"
“E:\Program Files\Windows Live\Messenger\livecall.exe”="E:\Program Files\Windows Live\Messenger\livecall.exe::Enabled:Windows Live Messenger (Phone)”
Remaining Files:
File Backups: - E:\DOCUME~1\Smivs\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes:
Wed 13 Feb 2008 147,968 A.SHR — “E:\016668.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\052357.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\068000.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\142402.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\178631.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\216014.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\223212.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\223863.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\228665.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\304454.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\383476.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\400123.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\408182.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\417120.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\420045.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\433076.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\475357.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\535285.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\565653.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\576762.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\641261.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\712774.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\722002.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\736467.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\737774.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\751536.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\764887.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\787060.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\787781.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\820746.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\836107.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\836846.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\860624.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\865847.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\874260.exe”
Wed 13 Feb 2008 147,968 A.SHR — “E:\884226.exe”
Wed 16 Jan 2008 4,348 …SH. — “E:\Documents and Settings\All Users\DRM\DRMv1.bak”
Sun 13 Jan 2008 0 A…H. — “E:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT3.tmp”
Sun 13 Jan 2008 0 A…H. — “E:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT1.tmp”
Sun 13 Jan 2008 0 A…H. — “E:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT5.tmp”
Fri 11 Jan 2008 3,620,096 A…H. — “E:\WINDOWS\SoftwareDistribution\Download\3bdf33c4f0a5eff310bdad33e743de6e\BITD.tmp”
Fri 11 Jan 2008 1,227,048 A…H. — “E:\WINDOWS\SoftwareDistribution\Download\48d85fb04f13809454220d69730ddb42\BITC.tmp”
Fri 11 Jan 2008 23,510,720 A…H. — “E:\WINDOWS\SoftwareDistribution\Download\b040933e0deef5a2e9484ab144f5202f\BIT9.tmp”
Sun 13 Jan 2008 0 A…H. — “E:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT4.tmp”
Sun 13 Jan 2008 0 A…H. — “E:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT6.tmp”
Sun 13 Jan 2008 0 A…H. — “E:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT2.tmp”
Fri 11 Jan 2008 23,975,280 A…H. — “E:\WINDOWS\SoftwareDistribution\Download\faf3c3f93783cf6f2a2360217c57fab7\BITB.tmp”
Thu 14 Feb 2008 65,536 A…H. — “E:\Documents and Settings\Smivs\Local Settings\Application Data\Microsoft\Outlook~Outlook.pst.tmp”
Thu 14 Feb 2008 65,536 A…H. — “E:\Documents and Settings\Smivs\Local Settings\Application Data\Microsoft\Outlook~Outlsmithers_953@hotmail.com-00000002.pst.tmp”
Finished!
And here is hijackthis log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:32:50, on 17/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
E:\windows\System32\smss.exe
E:\windows\system32\winlogon.exe
E:\windows\system32\services.exe
E:\windows\system32\lsass.exe
E:\windows\system32\svchost.exe
E:\windows\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\windows\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
E:\windows\system32\nvsvc32.exe
E:\windows\system32\PnkBstrA.exe
E:\windows\system32\PnkBstrB.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\windows\system32\WgaTray.exe
E:\windows\Explorer.EXE
E:\windows\system32\notepad.exe
E:\windows\system32\nvraidservice.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\WINDOWS\system32\wbem\unsecapp.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\windows\system32\RUNDLL32.EXE
E:\Program Files\DAEMON Tools Lite\daemon.exe
E:\windows\system32\ctfmon.exe
E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
E:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\PROGRA~1\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Smivs\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - E:\Program Files\Adobe/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - E:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - E:\Program Files\Adobe/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - E:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM..\Run: [NVRaidService] E:\windows\system32\nvraidservice.exe
O4 - HKLM..\Run: [GrooveMonitor] “E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [Acrobat Assistant 8.0] “E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe”
O4 - HKLM..\Run: [Adobe_ID0EYTHM] E:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM..\Run: [AsusStartupHelp] E:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe
O4 - HKLM..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] “E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE E:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE E:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NVIDIA nTune] “E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear
O4 - HKLM..\Run: [NBKeyScan] “E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
O4 - HKCU..\Run: [DAEMON Tools Lite] “E:\Program Files\DAEMON Tools Lite\daemon.exe”
O4 - HKCU..\Run: [ctfmon.exe] E:\windows\system32\ctfmon.exe
O4 - HKCU..\Run: [NVIDIA nTune] “E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear
O4 - HKCU..\Run: [MsnMsgr] “E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [BitComet] “E:\Program Files\BitComet\BitComet.exe” /tray
O4 - HKCU..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200084797640
O17 - HKLM\System\CCS\Services\Tcpip..{FBF13A65-EA59-46C2-8C2B-03FD91B6DC84}: NameServer = 192.168.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\windows\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\windows\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\windows\system32\PnkBstrB.exe
–
End of file - 11498 bytes
OK one down and the rest to get, SDfix showed a few assorted trojans remaining
Download ComboFix from Here or Here to your Desktop.
[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall
hmmm
file wont run
says is not a valid win32 application…
thank you for the ongoing help
Could you go to the website in my sig and download the saladino zip file as that is a renamed copy of combofix. Download - unzip and run - let me know what happens