rootkit in system 32

Hi all,had an avast warning that I had a root kit, deleted it (I hope), and did boot time scan which showed up…

Trojan-gen in system 32 awvts.exe sent that to chest, it says in chest last change was 17/4/07 and transfer date 25/4/08 not sure what this means… ???

is system clear or should I re-scan with? not sure which program to use any advice appreciated …thanks guys

Win XP all patches in place

susz :slight_smile:

An update here, scanned with AVG Antispy nothing found…

scanned with F-SECURE and it found vundo.gen38 in c:\WINDOWS\IJIIJL.INI whatever that is…

although avast picked the first infection up how come it missed this one???

now am I clean? or is there something else lurking in here? would be interested on your comments ???
thanks all

Hi, I checked the first filename you posted, it looks like a good detection. All anti malware scanners miss some, unfortunately.

From what you have posted, there is too little info to base an opinion on. We can have a deeper look if you wish. Just give the word.

hi and thank you, yes I wonder what else I may need to scan with to check if system is clean…I was surprised avast missed the vundo after getting the first one.

Any advice appreciated :slight_smile:

Vundo is just very prolific constantly changing variants to outrun the AVs.

AVG-AS is now very dated it hasn’t really kept pace since Grisoft bought it out, it is now no longer available as a stand alone free application. I would suggest that you use SAS as it is a better anti-spyware scanner IMHO. It also has reasonable Vundo detections, so using that as a regular weekly scan should back-up avast nicely.

SUPERantispyware On-Demand only in free version.

Hi David and thanks…will run SAS and post back :slight_smile:

You’re welcome.

SAS found nothing, so looking good, thanks again David will do weekly scans with SAS from now on :slight_smile:

Hi SUSZ,

Dangerous awvts.exe - Dangerous

awvts.exe
We suggest you to remove awvts.exe from your computer as soon as possible.
Awvts.exe is Trojan/Backdoor.

Kill the process awvts.exe and remove awvts.exe from Windows startup. 

What we know about AWVTS.EXE:
The filename AWVTS.EXE was first seen on Dec 20 2007 in The EUROPEAN UNION. It has also been seen in the following geographical regions of the Prevx community:

* ITALY on Jan 24 2008
* NETHERLANDS on Apr 19 2008
* The UNITED KINGDOM on Jan 2 2008

The filename AWVTS.EXE refers to many versions of an executable program.
The most common file size is 335,360 bytes. But the following file sizes have also been seen:

* 338,432 bytes
* 348,160 bytes

The filename is associated with the malware group Trojan.Vundo.Some files using the name AWVTS.EXE are also associated with the malware group:

* Dropper.Agent.GIT

These files have no vendor, product or version information specified in the file header.
AWVTS.EXE has been seen to perform the following behavior(s):

* This Process Creates Other Processes On Disk
* The process hooks code into all running processes which could allow it to take control of the   system or record keyboard input, mouse activity and screen contents
* The Process is packed and/or encrypted using a software packing process
* Registers a Dynamic Link Library File
* Executes a Process

AWVTS.EXE has been the subject of the following behavior(s):

* Executed as a Process
* Deleted as a process from disk
* Created as a process on disk

AWVTS.EXE can also use the following file names:

* RCX18.TMP
* AWV
* RCXD.TMP
* RCXE.TMP

Virus, Spyware & Malware Center
The exe can come under 44 different disguises, so you better provide us with a hijackthis log
as an attached to your next posting, to see whether you haven’t run in the latest new vundo version…

polonus

WOW thanks Damian will try to remember how to do a log and post it, have noticed pc has been running slow at start up for a few days, maybe that is/was the problem :frowning:

If you are experiencing problems, I think a combofix log to go along with the HJT log may be in order. Since this is vundo, this method of using combofix is probably the best.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

This I have done this bit right so far lol

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:20, on 26/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\AOL\1178117888\ee\AOLSoftware.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\PCHButton.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://esampler.tns-global.com/esampler/writeaoltest.html?harvest,AOL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [HostManager] “C:\Program Files\Common Files\AOL\1178117888\ee\AOLSoftware.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [eBayToolbar] “C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\PCHButton.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip..{D6836D0D-4E7B-4AFE-AFD2-B53B5D144D7B}: NameServer = 205.188.146.145
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


End of file - 6869 bytes

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Did you or someone else set these?

I know I didn’t no idea what they are???

They are just lines saying that there are restrictions in place. The restrictions could be things like no downloads allowed, no setting changes allowed. They are usually placed there by administrators or people who don’t want anyone playing with their settings. Occasionally malware makes such settings.

Go ahead with the combofix and we’ll see what is going on.

Here goes…I hope lol

ComboFix 08-04-24.1 - HP_Owner 2008-04-26 22:02:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.735 [GMT 1:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\Combo-Fix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 21:32 . 2008-04-26 21:32 d-------- C:\Program Files\Trend Micro
2008-04-26 19:58 . 2008-04-26 19:58 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-26 19:58 . 2008-04-26 19:58 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 01:39 . 2008-04-26 01:39 d-------- C:\fsaua.data
2008-04-20 23:56 . 2008-04-20 23:56 d-------- C:\Program Files\Xilisoft
2008-04-19 22:07 . 2008-04-19 22:07 d-------- C:\Program Files\YASAMP4Converter
2008-04-19 21:57 . 2008-04-19 22:01 d-------- C:\Documents and Settings\HP_Owner\Application Data\DVD Flick
2008-04-16 01:09 . 2008-04-16 01:09 d-------- C:\Program Files\eBay
2008-04-16 01:09 . 2008-04-16 01:09 d-------- C:\Documents and Settings\HP_Owner\Application Data\InstallShield
2008-04-16 01:09 . 2008-04-16 12:21 d-------- C:\Documents and Settings\HP_Owner\Application Data\eBay
2008-04-16 01:09 . 2008-04-26 21:56 d-------- C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-04-16 01:09 . 2008-04-16 01:09 d-------- C:\Documents and Settings\All Users\Application Data\eBay
2008-04-12 21:26 . 2008-04-13 21:22 0 --a------ C:\temp\EnhancedDataOutput.txt
2008-04-12 03:18 . 2008-04-22 21:54 54,156 --ah-c— C:\WINDOWS\QTFont.qfn
2008-04-12 03:18 . 2008-04-12 03:18 1,409 --a–c— C:\WINDOWS\QTFont.for
2008-04-06 15:55 . 2008-04-06 15:55 d-------- C:\WINDOWS\system32\Adobe
2008-03-31 20:52 . 2008-04-26 01:23 d-------- C:\Documents and Settings\HP_Owner\Application Data\OpenOffice.org2
2008-03-31 20:48 . 2008-03-31 20:48 d-------- C:\Program Files\OpenOffice.org 2.4
2008-03-31 20:47 . 2008-03-31 20:47 d-------- C:\Program Files\OpenOffice.org 2.4 (en-US) Installation Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 18:58 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2008-04-22 02:31 --------- d-----w C:\Program Files\YouTube Downloader
2008-04-22 02:27 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-22 02:26 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-20 22:55 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-04-20 22:55 --------- d-----w C:\Program Files\AVS4YOU
2008-04-19 16:28 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\uTorrent
2008-04-16 00:09 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-04-15 23:06 --------- d-----w C:\Program Files\Nokia
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 19:10 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Ahead
2008-03-18 18:09 --------- d-----w C:\Program Files\Ahead
2008-03-18 18:05 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-18 17:58 --------- d-----w C:\Program Files\UnderCoverXP
2008-03-17 02:41 --------- d-----w C:\Program Files\Yahoo!
2008-03-17 02:41 --------- d-----w C:\Program Files\SlySoft
2008-03-17 02:41 --------- d-----w C:\Program Files\QuickTime
2008-03-17 02:41 --------- d-----w C:\Program Files\PC Wizard 2006
2008-03-17 02:41 --------- d-----w C:\Program Files\jv16 PowerTools
2008-03-17 02:41 --------- d-----w C:\Program Files\Java
2008-03-17 02:41 --------- d-----w C:\Program Files\InterVideo
2008-03-17 02:41 --------- d-----w C:\Program Files\Common Files\Real
2008-03-17 02:41 --------- d-----w C:\Program Files\Common Files\MAGIX Shared
2008-03-17 02:41 --------- d-----w C:\Program Files\Common Files\aolshare
2008-03-17 02:41 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-17 02:40 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-17 02:40 --------- d-----w C:\Program Files\AOL 9.0
2008-03-17 02:30 --------- d-----w C:\Program Files\Common Files\Logitech
2008-03-17 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-17 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-15 00:51 --------- d-----w C:\Program Files\Ashampoo
2008-03-12 01:57 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVS4YOU
2008-03-12 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-03-11 21:54 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Ashampoo Photo Commander 5
2008-03-03 22:25 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Ashampoo
2008-03-03 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\ashampoo
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2006-05-23 17:34 24,192 -c–a-w C:\Documents and Settings\HP_Owner\usbsermptxp.sys
2006-05-23 17:34 22,768 -c–a-w C:\Documents and Settings\HP_Owner\usbsermpt.sys
2001-03-28 11:02 122,880 -c–a-w C:\WINDOWS\inf\Agfa\message.exe
2005-01-21 19:35 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 04:00 15360]
“Acme.PCHButton”=“C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\PCHButton.exe” [2004-01-02 04:14 159744]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-03-29 18:37 79224]
“MPFExe”=“C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe” [2003-08-18 19:57 1048576]
“AGRSMMSG”=“AGRSMMSG.exe” [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
“HostManager”=“C:\Program Files\Common Files\AOL\1178117888\ee\AOLSoftware.exe” [2006-11-17 14:21 50736]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“eBayToolbar”=“C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe” [2008-03-13 14:30 652528]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoWinKeys”= 0 (0x0)
“NoFileAssociate”= 0 (0x0)
“NoCommonGroups”= 0 (0x0)
“NoSimpleStartMenu”= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.l3acm”= l3codecp.acm
“vidc.3ivx”= 3ivxVfWCodec.dll
“msacm.divxa32”= divxa32.acm
“VIDC.i263”= i263_32.drv
“msacm.imc”= imc32.acm
“msacm.scg726”= scg726.acm
“msacm.alf2cd”= alf2cd.acm
“vidc.dvsd”= mcdvd_32.dll

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
–a–c— 2004-08-04 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
–a------ 2006-11-17 14:21 50736 C:\Program Files\Common Files\AOL\1178117888\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
–a–c— 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a–c— 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
–a–c— 2007-05-18 22:07 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
-----c— 2007-09-07 17:13 292152 C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
–a–c— 2007-06-11 18:16 4670968 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\Program Files\AOL 9.0\waol.exe”=
“C:\Program Files\uTorrent\uTorrent.exe”=
“C:\Program Files\Common Files\AOL\ACS\AOLDial.exe”=
“C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe”=
“C:\Program Files\Common Files\AOL\1178117888\ee\aolsoftware.exe”=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 23:42]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS
S3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{430c15e6-ba3f-11dc-9065-00038a000015}]
\Shell\AutoRun\command - InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{af3188d4-bd67-11dc-906b-00038a000015}]
\Shell\AutoRun\command - InstallTomTomHOME.exe

Newly Created Service - SASDIFSV
Newly Created Service - SASENUM
Newly Created Service - SASKUTIL
.
Contents of the ‘Scheduled Tasks’ folder
“2008-04-25 18:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 22:04:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …


.
Completion time: 2008-04-26 22:07:42
ComboFix-quarantined-files.txt 2008-04-26 21:06:38

Pre-Run: 59,660,808,192 bytes free
Post-Run: 59,648,499,712 bytes free

175 — E O F — 2008-04-10 02:04:35

sorry it was too big for 1 post

ummm what did the big red warning message about not having recovery installed mean???

Hi SUSZ,

Here is your hjt logfile analysis, and it will be here for the next consequent three days:
http://www.hijackthis.de/logfiles/dd86db7977768246e654304a05bd3bfb.html

Cannot see much wrong here.
Just wait what oldman’s verdict on the ComboScript outcome will be, and mind you to follow his instructions to clean up precisely when you have arrived at the end of his proposed cleansing routine. Follow his instructions to the dot, and you cannot be any more secure…

Surf safe and stay malware free is the wish and the command of,

Damian

P.S. Info about the red message here:
http://jkontherun.blogs.com/jkontherun/2004/10/windows_xp_reco.html

pol

Thank you Damian, much appreciate everyone’s help :slight_smile: