Files Automatically deleting

T

Traceydog

New Member
Last couple of days and weeks, I have had files on an XP computer automatically delete themselves. For example, I have installed AVG 8.0 and then after a restart, all the files had disappeared and i then couldn't locate them. Last couple of days, I have done a full scan with Ad-Aware and it stops scanning at a registry location with InProcServer32. Does anyone know what I can do or if I delete this file, will it affect my computer?
 
Hi Luke,

Pls do the following:

If after that you are still infected, please post a Hijackthis log. To post a Hijackthis log, please do the following:
Click Here to download HJTsetup.exe


* Save HJTsetup.exe to your desktop.
* Double click on the HJTsetup.exe icon on your desktop.
* By default it will install to C:\Program Files\Hijack This.
* Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
* Put a check by Create a desktop icon then click Next again.
* Continue to follow the rest of the prompts from there.
* At the final dialogue box click Finish and it will launch Hijack This.
* Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
* Click Save to save the log file and then the log will open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
* Come back and create a new thread and Paste the log in your post, using Hijackthis in your Subject bar
* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


We will look at your log as soon as we see it, and give you further instructions on how to fix your computer. Most of the time it will involve downloading more programs that will either give us logs to locate the malware or delete those malware.

Once you have posted a HJT Thread DO NOT make any changes to your PC unless the advisor helping you has instructed you to do so!

Thanks,

Cohen
 
Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:22 PM, on 8/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Saf3.tmp\HiJackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5036 bytes
 
OK, thanks

do this:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Why do you always give instructions to do a hijackthis and then do combofix?? Why dont you point out the infections, if any?
 
ComboFix Log

ComboFix 08-07-05.1 - Owner 2008-07-08 16:16:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.168 [GMT 10:00]
Running from: C:\DOCUME~1\Owner\LOCALS~1\Temp\SafB.tmp\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\215651
C:\WINDOWS\system32\cfhkj.bak1
C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\cfhkj.tmp
C:\WINDOWS\system32\components
C:\WINDOWS\system32\dwcfcbpv.ini
C:\WINDOWS\system32\eaetqsjw.ini
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.bak2
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\jlkkj.tmp
C:\WINDOWS\system32\jykxpbox.ini
C:\WINDOWS\system32\khesqjkv.ini
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\klkkj.bak2
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klkkj.ini2
C:\WINDOWS\system32\klkkj.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mkfywcaa.ini
C:\WINDOWS\system32\ogmjwphp.ini
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.tmp
C:\WINDOWS\system32\plnxtkvo.ini
C:\WINDOWS\system32\sfpxgcxu.ini
C:\WINDOWS\system32\tftqxxfy.ini
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\vrqtfeyn.ini
C:\WINDOWS\system32\xwyhsuvy.ini
C:\WINDOWS\system32\yourdfjt.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.

2008-07-01 16:14 . 2008-07-02 12:34 <DIR> d--h-c--- C:\$AVG8.VAULT$
2008-07-01 15:01 . 2008-07-01 15:01 <DIR> d----c--- C:\Program Files\AVG
2008-07-01 15:01 . 2008-07-01 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-01 14:47 . 2008-07-01 15:22 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 14:45 . 2008-07-01 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-22 22:23 . 2008-06-22 22:25 <DIR> d----c--- C:\Program Files\weblin
2008-06-22 22:19 . 2008-06-22 22:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\zweitgeist
2008-06-17 20:32 . 2008-06-17 20:32 <DIR> d----c--- C:\Program Files\Microsoft Silverlight
2008-06-11 23:38 . 2007-06-18 14:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-06-11 12:41 . 2008-06-11 18:04 <DIR> d----c--- C:\AvirMail
2008-06-11 12:34 . 2008-05-09 00:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-11 12:32 . 2008-06-13 21:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 06:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\DNA
2008-07-07 22:42 292,352 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-07-07 22:02 6,771,200 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-07-07 08:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-07-07 08:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-07-07 08:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2008-07-07 07:20 --------- dc----w C:\Program Files\FrostWire
2008-07-04 02:14 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 02:14 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-02 00:24 --------- dc----w C:\Program Files\Safari
2008-07-01 05:59 --------- dc----w C:\Program Files\Lavasoft
2008-07-01 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 10:11 92,160 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-06-25 09:58 6,660,096 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-06-21 12:19 6,621,696 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-06-21 12:19 208,384 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-06-17 06:55 485,888 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-06-17 06:45 6,603,776 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 13:40 --------- dc----w C:\Program Files\Motorola Phone Tools
2008-06-11 13:37 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-06-11 12:30 --------- dc----w C:\Program Files\Avanquest update
2008-06-11 04:12 --------- dc----w C:\Program Files\Java
2008-06-11 02:41 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-06-11 02:41 249,856 ------w C:\WINDOWS\Setup1.exe
2008-06-10 05:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\FrostWire
2008-06-07 06:10 --------- dc----w C:\Program Files\Skype
2008-06-07 06:10 --------- dc----w C:\Program Files\Common Files\Skype
2008-06-07 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-06 04:47 647,680 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-06-06 04:47 6,456,320 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-06-02 13:05 --------- dc----w C:\Program Files\Apple Software Update
2008-05-25 13:31 --------- dc----w C:\Program Files\BitTorrent
2008-05-25 10:58 --------- dc----w C:\Program Files\Windows Live
2008-05-22 12:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-16 01:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 05:35 6,167,040 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-05-15 05:35 305,152 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-05-14 14:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-12 07:28 18,207,347 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_12_00_22_45.dmp.zip
2008-05-11 14:22 6,159,872 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-05-10 05:21 --------- dc----w C:\Program Files\DNA
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 07:13 6,148,608 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-05-05 07:13 264,704 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 07:56 6,100,992 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-04-21 07:56 210,432 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-13 19:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-13 19:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2008-04-13 06:33 6,099,456 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-04-13 06:33 368,640 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2006-11-19 10:53 24,192 -c----w C:\Documents and Settings\Owner\usbsermptxp.sys
2006-11-19 10:53 22,768 -c----w C:\Documents and Settings\Owner\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-08 18:08 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 10:12 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-10 15:21 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe" [2005-08-03 06:42 943880]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8987:TCP"= 8987:TCP:BitComet 8987 TCP
"8987:UDP"= 8987:UDP:BitComet 8987 UDP
"7506:TCP"= 7506:TCP:BitComet 7506 TCP
"7506:UDP"= 7506:UDP:BitComet 7506 UDP

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 12:14]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe []
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2002-06-06 10:14]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 16:41]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 04:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef89f1ae-7796-11db-a3de-0090d0e5fa6d}]
\Shell\AutoRun\command - F:\favicon.ico

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-07 12:24:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-08 05:24:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-07-07 22:43:01 C:\WINDOWS\Tasks\PPv5Scan_Daily as Owner at 8 42 AM.job"
- C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\ppv5consumercl.exe
"2008-07-07 17:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
"2008-07-08 06:02:42 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-26 16:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-07-04 03:18:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-16 02:18:08 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-16 02:45:29 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVG8_TRAY - C:\PROGRA~1\AVG\AVG8\avgtray.exe
HKLM-Run-AvirMail - (no file)
ShellExecuteHooks-{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5} - (no file)
ShellExecuteHooks-{8AAF9204-7148-4576-8F68-016875076F73} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 16:22:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"
.
Completion time: 2008-07-08 16:26:01
ComboFix-quarantined-files.txt 2008-07-08 06:25:39

Pre-Run: 155,677,057,024 bytes free
Post-Run: 155,665,858,560 bytes free

254 --- E O F --- 2008-07-07 04:12:08
 
Hijackthis Log 2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:01 PM, on 8/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5307 bytes
 
OK,

Luke are are mates from school.

So we have decided i will go over to his place and reinstall XP on his desktop because it is giving him the craps and it will be good to start fresh,

so i'll get a mod to close / lock this thread
 
You must log in or register to reply here.
Back
Top