Hi Guys.
I dont know what to do with this thing, I have read the other peoples notification, so Im hoping you can also help me.
Im new to this internet stuff, but I will try to do what you ask so i can get rid of this blooming trojan.
Avast finds it but no way can I delete, or send to chest, pretty much the same as all the other posts I have read about this trojan.
What is my next step?
Appreciate your help.
Many Thanks.
JPS
Why can’t it send it to the chest, etc. what errors are displayed ?
What is your OS ?
Have you tried a boot-time scan ?
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
HiJackThis - Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48:35, on 12/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {330052B8-D2DA-4002-A6B0-6ADED622BCE9} - C:\WINDOWS\system32\commdl.dll
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM..\Run: [SDTray] “C:\Program Files\Spyware Doctor\SDTrayApp.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1004..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Jim’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1005..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User ‘LaLa’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1006..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User ‘Mum’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-500..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Administrator’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
–
End of file - 6096 bytes
???
What is your firewall (you don’t appear to have an active firewall) ?
Suspect
O2 - BHO: (no name) - {330052B8-D2DA-4002-A6B0-6ADED622BCE9} - C:\WINDOWS\system32\commdl.dll
A google search for commdl.dll returns many hits http://www.google.com/search?q=commdl.dll
This is just a couple of them, http://www.prevx.com/filenames/X3012994062459162860-0/COMMDL.DLL.html and http://www.greatis.com/appdata/d/c/_commdl.dll.htm.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
If undetected by avast, but detected by other scanners, send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Hi.
Thanks for your response, I am running windows Firewall which is showing as being active when I just checked 23.18 GMT.
I will have a go at your recommendations tommorrow.
Here’s hoping.
JPS
Unfortunately the windows firewall is only half a firewall as it provides no outbound protection.
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
Hi again.
Thanks for the info, I have sent the file to Virus Total, so I guess I will wait for their reply, and then post the results as you suggested.
Many thanks again.
JPS
Just got the reply back from Virus total, It does’nt look good as they can’t find anythingHere is there report.
JPS
Complete scanning result of “huh.gif”, processed in VirusTotal at 02/13/2008 23:12:47 (CET).
[ file data ]
[ scan result ]
AhnLab-V3 2008.2.14.10/20080213 found nothing
AntiVir 7.6.0.65/20080213 found nothing
Authentium 4.93.8/20080213 found nothing
Avast 4.7.1098.0/20080213 found nothing
AVG 7.5.0.516/20080213 found nothing
BitDefender 7.2/20080213 found nothing
CAT-QuickHeal None/20080213 found nothing
ClamAV 0.92/20080213 found nothing
DrWeb 4.44.0.09170/20080213 found nothing
eSafe 7.0.15.0/20080213 found nothing
eTrust-Vet 31.3.5533/20080213 found nothing
Ewido 4.0/20080213 found nothing
F-Prot 4.4.2.54/20080213 found nothing
F-Secure 6.70.13260.0/20080213 found nothing
FileAdvisor 1/20080213 found nothing
Fortinet 3.14.0.0/20080213 found nothing
Ikarus T3.1.1.20/20080213 found nothing
Kaspersky 7.0.0.125/20080213 found nothing
McAfee 5229/20080213 found nothing
Microsoft 1.3204/20080213 found nothing
NOD32v2 2872/20080213 found nothing
Norman 5.80.02/20080213 found nothing
Panda 9.0.0.4/20080213 found nothing
Prevx1 V2/20080213 found nothing
Rising 20.31.10.00/20080213 found nothing
Sophos 4.26.0/20080213 found nothing
Sunbelt 2.2.907.0/20080213 found nothing
Symantec 10/20080213 found nothing
TheHacker 6.2.9.219/20080213 found nothing
VBA32 3.12.6.1/20080213 found nothing
VirusBuster 4.3.26:9/20080213 found nothing
Webwasher-Gateway 6.6.2/20080213 found nothing
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Do not reply to this message. It has been generated by an automatic address that will not handle any reply. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
I have gone over the topic again and found that you didn’t answer some question.
Why can't it send it to the chest, etc. what errors are displayed ?OR
Have you tried a boot-time scan ?
Considering that nothing was found at VT, including avast, was/is this the file that avast was alerting on, e.g. what is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.
Is it still being detected on your system ?
Sorry, for not taking more care when reading and replying to your help.
I hope the next information is ok.
I have tried sending it to the chest, and every time I try, I get an Avast warning saying " Avast: Access is denied cannot process", I then press on the ‘OK’ button and the Avast warning comes up from the original saying I have a trojan called ‘C:\Windows\system32\commdl.dll[UPX]’, I then press the ‘No action’ button to clear the screen.
I have tried a boot time scan which detects the Trojan, but each time I try to move to chest I get asked about moving it because it is in Windows 32 system, when I click on ‘yes’ I get a reply ‘error message’, and nothing I try to do, whether to even try to delete, it will not let me.
It is still on my Pc because the first time I go to go onto the internet, I get the Avast warning about the Trojan, when this comes up, I click on ‘No Action’ because it says that that will not activate the Malaware.
I hope I have covered everything, sorry for the mix up.
Really appreciate your help.
Many thanks.
JPS
Hi guys.
DavidR, hope I’m not stepping on your toes here, but this one is probably locked in by a service. Combofix will be required.
Phil Stubbs
Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.
Hi oldman.
Sorry for not getting back yo you sooner, had to sort something else on the computer, but as requested I have done a combo scan and the log is below along with the hijack this log.
Again many thanks for your help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48:35, on 12/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {330052B8-D2DA-4002-A6B0-6ADED622BCE9} - C:\WINDOWS\system32\commdl.dll
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM..\Run: [SDTray] “C:\Program Files\Spyware Doctor\SDTrayApp.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1004..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Jim’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1005..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User ‘LaLa’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1006..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User ‘Mum’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-500..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Administrator’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
–
End of file - 6096 bytes
Hi again.
the system would not alow me to send all the hijack this and combo fix in one go, so here is combo’s log.
Thanks
ComboFix 08-02-25.3 - Owner 2008-02-27 17:16:34.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\aconti.log
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\hosts
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\poof
.
((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.
2008-02-24 20:39 . 2008-02-24 20:39 d-------- C:\Documents and Settings\Jim\Application Data\Yahoo!
2008-02-20 17:29 . 2008-02-20 17:29 d–hs---- C:\found.000
2008-02-18 22:02 . 2008-02-18 22:02 d–h----- C:\WINDOWS\system32\GroupPolicy
2008-02-17 00:08 . 2008-02-17 00:08 32,648 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-02-14 23:39 . 2008-02-14 23:39 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 17:44 . 2008-02-12 17:44 d-------- C:\Program Files\Trend Micro
2008-02-10 16:53 . 2008-02-27 17:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-10 16:53 . 2008-02-27 17:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-03 15:25 . 2008-02-03 15:25 d—s---- C:\Documents and Settings\Mum\UserData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 17:28 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-27 17:24 --------- d-----w C:\Program Files\SpywareDetector
2008-02-27 15:45 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-27 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-27 15:07 --------- d-----w C:\Program Files\Yahoo!
2008-02-17 17:55 --------- d-----w C:\Program Files\DivX
2008-02-12 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 11:03 6,144 ----a-w C:\WINDOWS\system32\SDEarlyDelete.exe
2008-01-28 20:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2008-01-27 20:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-25 18:58 67,024 ----a-w C:\WINDOWS\system32\CloseAll.exe
2008-01-06 20:32 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-31 16:36 --------- d-----w C:\Documents and Settings\LocalService\Application Data\PIE Service
2007-12-30 22:27 --------- d-----w C:\Documents and Settings\Jim\Application Data\DivX
2007-12-28 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2007-12-28 21:12 73,728 ----a-w C:\WINDOWS\system32\CavEmLSP.dll
2007-12-28 21:12 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-28 21:12 434,252 ----a-w C:\WINDOWS\system32\MSVCRTD.DLL
2007-12-28 21:12 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-28 21:12 216,576 ----a-w C:\WINDOWS\system32\monln.dll
2007-12-28 21:12 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.dll
2007-12-27 22:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Uniblue
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
3rd time lucky I hope too much info again.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{330052B8-D2DA-4002-A6B0-6ADED622BCE9}]
2001-08-23 04:00 84992 --a------ C:\WINDOWS\system32\commdl.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:56 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 16:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ezShieldProtector for Px”=“C:\WINDOWS\system32\ezSP_Px.exe” [2002-08-20 10:29 40960]
“SDTray”=“C:\Program Files\Spyware Doctor\SDTrayApp.exe” [2007-10-02 16:27 1065288]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 13:00 79224]
“SystemTraySD”=“C:\Program Files\SpywareDetector\SDSystemTray.exe” [2007-12-24 17:39 706000]
“SDAutoLiveupdate”=“C:\Program Files\SpywareDetector\LiveUpdateSD.exe” [2008-02-01 18:31 423376]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2005-01-11 05:25 77824]
“combofix”=“C:\WINDOWS\system32\kmd.exe” [2004-08-04 00:56 388608]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:56 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-24 15:02:49 124400]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2008-01-28 11:30 167936 C:\Program Files\SpywareDetector\SDNotify.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background
“SpybotSD TeaTimer”=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“EPSON Stylus C62 Series”=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 “EPSON Stylus C62 Series” /O6 “USB001” /M “Stylus C62”
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” -atboottime
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
“SoundMan”=SOUNDMAN.EXE
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\WINDOWS\system32\sessmgr.exe”=
“C:\Program Files\Messenger\msmsgs.exe”=
R0 wsuflwnr;wsuflwnr;C:\WINDOWS\system32\drivers\srefcxrr.dat
S2 Ca536av;4.1M MPEG4 DV Video Capture;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-07-09 10:49]
S3 USBCamera;4.1M MPEG4 DV Bulk Driver;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]
.
Contents of the ‘Scheduled Tasks’ folder
“2007-12-06 22:22:33 C:\WINDOWS\Tasks\System Restore.job”
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 17:28:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
.
Completion time: 2008-02-27 17:37:35 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-02-27 17:37:27
.
2008-02-17 00:52:24 — E O F —
Hi, no problem with the late reply. We have a couple of prelimary things to take care of, then we go after it.
First we have to disable teatimer. (I see you have it disabled, please leave it that way until we are done)
Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following
Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer”
click allow change
Download and Unzip to your Desktop: http://www.techsupportforum.com/sectools/ResetTeaTimer.zip
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
If we use combofix again please note the following,
[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Now to the task at hand. Please copy and paste this section into a notepad as you will be in safe mode.
Step #1
Start in Safe Mode Using the F8 method:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.
Step #2
Now we will need to disable the driver for this thing. Please do the following:
Click Start, click Control Panel, click Performance and Maintenance, and then click System.
On the Hardware tab, click Device Manager.
Click the View menu and if there is no checkmark in front of Show hidden devices then click on it to activate it.
Scroll down the list of devices and double-click Non-Plug and Play Drivers.
Locate wsuflwnr and right click it and then click the Properties option.
Click the Driver tab.
In the Startup section select Disable from the drop-down list.
Click General tab.
In the Device Usage drop-down list select Do not use this device (disable).
Click the Ok button and you should be prompted to reboot. You can reboot normally.
Back in normal windows. please
Open HJT, run a system scan only, check mark these lines if present
O2 - BHO: (no name) - {330052B8-D2DA-4002-A6B0-6ADED622BCE9} - C:\WINDOWS\system32\commdl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Close all other browsers/windows, click fix, close HJT.
.
Please download The Avenger by Swandog46 to your Desktop.
1.[*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop
[QUOTE]Drivers to unload:
wsuflwnr
Files to delete:
C:\WINDOWS\system32\drivers\srefcxrr.dat
C:\WINDOWS\system32\commdl.dll
[/quote]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.
[*] Under “Script file to execute” choose “Input Script Manually”.
[*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”
[*] Copy/Paste [b]all[b] the text in the above quote box into this window by
[*] MAKE SURE THE TEXT MATCHES EXACTLY
[*] Click Done
[*] Now click on the Green Light to begin execution of the script
[*] Answer “Yes” twice when prompted.
3. The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
If you have any problems, or are not sure, please don’t hesitate to ask.
It looks like a lot, but please just take it one step at a time.
Also, it looks like you had AVG installed at one time. Did you uninstall it? If so, we can take care of a couple redundant service next time.
I will require the Avenger results and a HJT log. (hjt last. please)
Thanks.
Hi oldman.
Thanks for the reply.
You won’t believe this but I did all you asked, but have stumbled at the 2nd fence.
When you said to go to start, then control panel, no problem, but when I looked for ‘performance and maintenance’, there was no icon, nothing in the control panel section at all.
All I have under the ‘P’ section is Phone and Modem, Power options and Printer and Faxes, but no performance etc.
Hope you can help.
JPS
That’s ok, your computer is set up a little differently.
Try this. start, control panel, system. you should now be able to see the hardware tab. Just follow the instructions from that point onward.
Remeber safe mode.
Hi Oldman.
Wow that was alot, but I did all you asked, the only thing was, the avanger format was different to how you discribed it, although i did get through!!
As I type this I am running an Avast scan.
Fantastic!!! No Trojan found in the first scan.
Wait! It has just flagged up ‘Malware found’
File name is C;\Avenger\srefcxrr.dat
Malware name: Win32:Agent-PSI[Rtk]
Malware type: Rootkit
VPS version 080228-0, 28/02/2008
Tried to send to chest and has come up
Connot process"C;\Avenger\srefcxrr.dat" file.
Will try to scan as reboot and let you know.
Below is the avenger results
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver “wsuflwnr” deleted successfully.
File “C:\WINDOWS\system32\drivers\srefcxrr.dat” deleted successfully.
Error: file “C:\WINDOWS\system32\commdl.dll” not found!
Deletion of file “C:\WINDOWS\system32\commdl.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist
Completed script processing.
Finished! Terminate.
Does it look like we have got rid of one to get another??
Thanks for your patience.
JPS
Hi again.
I have just restarted the PC and gone straight onto the web WITHOUT the Trojan comming up!!!
I think you have done it!!
I did not post the Hijack log so here it is below.
I did think that maybe the Avast! scan See’s the avenger as a threat, is that why is Malware is named the same?
But anyway here’s the log and many thanks for your help and Patience with a newbie!!!
JPS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48:35, on 12/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {330052B8-D2DA-4002-A6B0-6ADED622BCE9} - C:\WINDOWS\system32\commdl.dll
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM..\Run: [SDTray] “C:\Program Files\Spyware Doctor\SDTrayApp.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1004..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Jim’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1005..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User ‘LaLa’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1006..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User ‘Mum’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-500..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Administrator’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
–
End of file - 6096 bytes
The below is just for information and I will let oldman help you as he is much more knowledgeable than I am. Please do not make any changes without his directions.
This one is not good …
O2 - BHO: (no name) - {330052B8-D2DA-4002-A6B0-6ADED622BCE9} - C:\WINDOWS\system32\commdl.dll
This one is unneeded …
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
You must of have AVG7 anti-virus at some point as these seem to be leftovers …
[b]O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing) [/b]