Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:06 AM, on 12/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKCU..\Run: [Advanced SystemCare 3] “C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe” /startup
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

–
End of file - 3798 bytes

Combo fix should produce a log file and send the file to its quarantine folder ?

So you should have that information somewhere.

I don’t see anything obvious in your log.

Wait…i found it… It’s comodo BOClean detected it. Sorry for the mistake.

12/17/2008 00:41:34: RSK-NIRCMD.SAA VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\32788R22FWJFW\NIRCMD.COM contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Owner

12/17/2008 00:42:00: RSK-NIRCMD.SAA VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\COMBOFIX\NIRCMD.COM contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Owner

12/17/2008 00:42:06: RSK-NIRCMD.SAA VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\COMBOFIX\NIRCMD.CFEXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Owner

12/17/2008 00:43:22: RSK-NIRCMD.SAA VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\NIRCMD.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Owner

A question,should i post Hijack this Log while in safe mode without networking and command prompt?

A safe mode HJT log is of little value IMHO, as it doesn’t or might not show all that would be running in normal mode.

Ok i see,that’s means that previous Hijack this log in normal mode is alright? ,back to the topic.
Then since Comodo BOClean detected it,and the log is safe so my computer is safe?

OK had a look at the post 6 seconds before my reply ;D

I would google the file names just to see if there is any associated stuff that you can check for, http://www.google.co.uk/search?q=NIRCMD.COM and http://www.google.co.uk/search?q=NIRCMD.EXE.

There could be an element of doubt in the detection as there are some hits which show this might be a tool being detected as malicious because of what it does/can do (not unusual for tools like this to get pinged).

Firstly thank you,really appreciated it. Secondly i found this post at bleeping computer forum.

''NirCmd is a command-line utility that allows writing to and deletion of values and keys in the registry. BOClean targets nircmd.exe while CF is unpacking, and while it’s trying to run. Panda, Sophos and others target NirSoft tools as well.

Certain files that are part of the combofix tool such as nircmd.exe may at times be detected by some anti-virus as a “RiskTool”, "Hacking tool, “Potentially unwanted tool” or even “Spyware-Adware”. Anti-virus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user or even remove them.

Such programs may have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Potentially unwanted does not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others.‘’

Is it true? reliable? i don’t know much about this since this is the first time i use ComboFix.

That is one similar to on I read in the google search I posted, hence my comment about tools.

Combofix is a valued tool and it comes with tools to help it do its job, the problem really lies with BoClean a HIPS which is looking at behaviour and this behaviour could be deemed at least suspicious. But a tool in the hands of a craftsman does a lot of good but in the hands of a vandal does a lot of damage. It is hard for security applications to tell who is using the tool and for what purpose.

I see,anyways do i still need to run a SDFix.exe stuff? to clean up?
Regarding about BOClean,i’ll go post in the Comodo forum about it.

Well firstly I haven’t run the SDFix tool, so I don’t know what reason your feel that you need to use it for, if it is merely to clean up combofix I’m not even sure it does that.

My reason is just want to ensure my computer is clean after that infection alert.

Those files are part of Combofix and are safe… Why were you running Combofix ?

Since i been using computer without format for a while now,so i run combofix for a
check/fix etc.

Combofix is a powerfull tool and does sometimes have false positives, which if you do not know how the programme works, you will not know how to restore any files. For a general clean use Malwarebytes Anti Malware. Specialist tools can sometimes go wrong so I would recommend only using them under supervision

I see,thanks.