« previous next »
Pages: 1 ... 3 4 [5] 6 7 ... 10   Go Down

Author Topic: Avasts been hijack please help  (Read 83543 times)

0 Members and 1 Guest are viewing this topic.

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #60 on: April 21, 2007, 04:45:17 PM »
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ASUS Probe -> %ProgramFiles%\ASUS\Probe\AsusProb.exe ->  [Ver =  | Size = 617984 bytes | Modified Date = 06/12/2002 16:07:48 | Attr =    ]
DU Meter -> %ProgramFiles%\DU Meter\DUMeter.exe -> Hagel Technologies [Ver = 3.02 Build 76 | Size = 1148928 bytes | Modified Date = 23/06/2002 21:19:26 | Attr =    ]
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 7700480 bytes | Modified Date = 22/10/2006 13:22:00 | Attr =    ]
NvMediaCenter -> %System32%\nvmctray.dll [RunDLL32.exe NvMCTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 86016 bytes | Modified Date = 22/10/2006 13:22:00 | Attr =    ]
nwiz -> %System32%\nwiz.exe ->  [Ver =  | Size = 1622016 bytes | Modified Date = 22/10/2006 13:22:00 | Attr =    ]
Run StartupMonitor -> %SystemRoot%\StartupMonitor.exe ->  [Ver =  | Size = 86016 bytes | Modified Date = 20/05/2000 17:23:48 | Attr =    ]
SmcService -> %ProgramFiles%\Sygate\SPF\smc.exe -> Sygate Technologies, Inc. [Ver = 5.5.00.2525 | Size = 2344160 bytes | Modified Date = 24/03/2005 10:30:06 | Attr =    ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 28/09/2006 15:13:28 | Attr =    ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 20/12/2006 12:55:48 | Attr =    ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
zwebauth.dll -> %System32%\ZWebAuth.dll ->  [Ver =  | Size = 16973 bytes | Modified Date = 18/09/2001 19:37:34 | Attr =    ]
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1030 | Size = 282624 bytes | Modified Date = 27/02/2007 11:39:26 | Attr =    ]
< HOSTS File > (568096 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar ->  ->
HKLM: Search Page ->  ->
HKLM: Start Page -> http://www.msn.com/ ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\System32\blank.htm ->
HKCU: Search Bar ->  ->
HKCU: Search Page ->  ->
HKCU: Start Page -> about:blank ->
HKCU: CustomizeSearch ->  ->
HKCU: SearchAssistant ->  ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] ->  ->
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
img_bleepingcomputer.com
  • ->  ->

www_bleepingcomputer.com
  • ->  ->

www_bleepingcomputer.com [http] ->  ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31/05/2005 01:04:00 | Attr =    ]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} [HKLM] -> %ProgramFiles%\Spyware Doctor\tools\iesdsg.dll [PCTools Site Guard] -> PC Tools [Ver = 3.6.0.2071 | Size = 825528 bytes | Modified Date = 01/08/2006 14:27:06 | Attr =    ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_01\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 501400 bytes | Modified Date = 14/03/2007 03:43:40 | Attr =    ]
{B56A7D7D-6927-48C8-A975-17DF180C71AC} [HKLM] -> %ProgramFiles%\Spyware Doctor\tools\iesdpb.dll [PCTools Browser Monitor] -> PC Tools [Ver = 3.6.0.2284 | Size = 848496 bytes | Modified Date = 01/09/2006 14:00:14 | Attr =    ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_01\bin\npjpi160_01.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 132760 bytes | Modified Date = 14/03/2007 03:43:42 | Attr =    ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_01\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 501400 bytes | Modified Date = 14/03/2007 03:43:40 | Attr =    ]
{40B2063F-DB01-4962-BE63-59435C01283C} -> %ProgramFiles%\UKPoker\client.exe [ButtonText: UKPoker] -> Tribeca Tables Europe Limited [Ver = 23, 3132, 0, 0 | Size = 2502656 bytes | Modified Date = 30/05/2006 23:06:12 | Attr =    ]
{85d1f590-48f4-11d9-9669-0800200c9a66} [HKLM] -> Reg Data - Key not found [MenuText: Uninstall BitDefender Online Scanner v8] -> File not found
{F4FBA929-A891-492C-A0F6-5C79CC4F1742} -> %ProgramFiles%\HiDownload\hidownload.exe [ButtonText: HiDownload] -> HiDownload Software [Ver = 2.0.0.3 | Size = 812032 bytes | Modified Date = 06/11/2006 14:46:00 | Attr =    ]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
&Download with &DAP -> %ProgramFiles%\DAP\dapextie.htm ->  [Ver =  | Size = 1507 bytes | Modified Date = 06/11/2005 20:29:06 | Attr =    ]
&Get Gutcheck -> Reg Data - Value does not exist -> File not found
Download &all with DAP -> %ProgramFiles%\DAP\dapextie2.htm ->  [Ver =  | Size = 630 bytes | Modified Date = 06/11/2005 20:29:06 | Attr =    ]
Download All Files by HiDownload -> %ProgramFiles%\HiDownload\HDGetAll.htm ->  [Ver =  | Size = 662 bytes | Modified Date = 09/06/2003 01:20:00 | Attr =    ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 ->  ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{76807617-D33F-4A38-A96D-BE96C5491589} ->    () ->
{8FD2343D-CCBB-49DE-9F40-7C2AF75D1F89} ->    (1394 Net Adapter) ->
{CDDE24B6-52BD-42C0-9934-503621F4A9D7} ->    () ->
{D7A05597-BF58-4894-8983-33A524BA9459} ->    (NVIDIA nForce MCP Networking Controller) ->
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
about -> 4 = Restricted sites (Not a Default Protocol) ->
about: -> 4 = Restricted sites (Not a Default Protocol) ->
mhtml -> 4 = Restricted sites (Not a Default Protocol) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{0DB074F0-617E-4EE9-912C-2965CF2AA5A4} -> SentinelVE3D Class - CodeBase = http://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab ->
{1EF9F042-C2EB-4293-8213-474CAEEF531D} -> TmHcmsX Control - CodeBase = http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB ->
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab ->
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
Microsoft XML Parser for Java ->  - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->
Logged

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #61 on: April 21, 2007, 04:47:16 PM »
[Files/Folders - Created Within 30 days]
A Startup Monitor and Startup Control Panel -> %SystemDrive%\A Startup Monitor and Startup Control Panel ->  [Folder | Created Date = 15/04/2007 11:22:56 | Attr =    ]
Active Ports  monitor -> %SystemDrive%\Active Ports  monitor ->  [Folder | Created Date = 15/04/2007 11:11:43 | Attr =    ]
cp1041.nls -> %SystemDrive%\cp1041.nls ->  [Ver =  | Size = 91648 bytes | Created Date = 21/04/2007 12:19:40 | Attr =    ]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Created Date = 19/04/2007 13:16:43 | Attr =    ]
F-Secure BlackLight Rootkit -> %SystemDrive%\F-Secure BlackLight Rootkit ->  [Folder | Created Date = 19/04/2007 22:42:47 | Attr =    ]
IceSword -> %SystemDrive%\IceSword ->  [Folder | Created Date = 19/04/2007 21:43:01 | Attr =    ]
initemp.dat -> %SystemDrive%\initemp.dat ->  [Ver =  | Size = 17556 bytes | Created Date = 27/03/2007 15:17:48 | Attr =    ]
Process Explorer -> %SystemDrive%\Process Explorer ->  [Folder | Created Date = 08/04/2007 19:58:10 | Attr =    ]
RootkitBuster -> %SystemDrive%\RootkitBuster ->  [Folder | Created Date = 19/04/2007 22:00:01 | Attr =    ]
SafeXP -> %SystemDrive%\SafeXP ->  [Folder | Created Date = 18/04/2007 01:28:57 | Attr =    ]
SDFix -> %SystemDrive%\SDFix ->  [Folder | Created Date = 13/04/2007 00:34:31 | Attr =    ]
TcpView -> %SystemDrive%\TcpView ->  [Folder | Created Date = 20/04/2007 11:59:11 | Attr =    ]
$NtUninstallWIC$ -> %SystemRoot%\$NtUninstallWIC$ ->  [Folder | Created Date = 04/04/2007 14:45:22 | Attr =  H ]
assembly -> %SystemRoot%\assembly ->  [Folder | Created Date = 04/04/2007 14:47:15 | Attr = R S]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 ->  [Folder | Created Date = 14/04/2007 16:12:50 | Attr =    ]
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Created Date = 19/04/2007 13:16:49 | Attr =    ]
Iedit.INI -> %SystemRoot%\Iedit.INI ->  [Ver =  | Size = 30 bytes | Created Date = 09/04/2007 22:03:45 | Attr =    ]
Microsoft.NET -> %SystemRoot%\Microsoft.NET ->  [Folder | Created Date = 04/04/2007 14:46:38 | Attr =    ]
Sun -> %SystemRoot%\Sun ->  [Folder | Created Date = 13/04/2007 10:19:42 | Attr =    ]
uninstall -> %SystemRoot%\uninstall ->  [Folder | Created Date = 27/03/2007 15:12:39 | Attr =    ]
actskin4.ocx -> %System32%\actskin4.ocx ->  [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Created Date = 13/04/2007 21:26:46 | Attr =    ]
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 13/04/2007 17:56:27 | Attr =    ]
aswBoot.exe -> %System32%\aswBoot.exe ->  [Ver = 4, 7, 936, 0 | Size = 689280 bytes | Created Date = 13/04/2007 21:26:46 | Attr =    ]
AVASTSS.scr -> %System32%\AVASTSS.scr -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 90112 bytes | Created Date = 13/04/2007 21:26:46 | Attr =    ]
Help.ico -> %System32%\Help.ico ->  [Ver =  | Size = 1406 bytes | Created Date = 13/04/2007 17:55:58 | Attr =    ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Created Date = 13/04/2007 10:18:59 | Attr =    ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 69632 bytes | Created Date = 13/04/2007 10:18:59 | Attr =    ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Created Date = 13/04/2007 10:18:59 | Attr =    ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 139264 bytes | Created Date = 13/04/2007 10:18:59 | Attr =    ]
pavas.ico -> %System32%\pavas.ico ->  [Ver =  | Size = 30590 bytes | Created Date = 13/04/2007 17:55:57 | Attr =    ]
PerfStringBackup.TMP -> %System32%\PerfStringBackup.TMP ->  [Ver =  | Size = 458776 bytes | Created Date = 18/04/2007 01:38:15 | Attr =    ]
Startup.cpl -> %System32%\Startup.cpl ->  [Ver =  | Size = 81920 bytes | Created Date = 15/04/2007 11:28:06 | Attr =    ]
Uninstall.ico -> %System32%\Uninstall.ico ->  [Ver =  | Size = 2550 bytes | Created Date = 13/04/2007 17:55:58 | Attr =    ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.892.0 | Size = 31560 bytes | Created Date = 13/04/2007 21:26:52 | Attr =    ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.892.0 | Size = 85952 bytes | Created Date = 13/04/2007 21:26:51 | Attr =    ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.892.0 | Size = 94424 bytes | Created Date = 13/04/2007 21:26:51 | Attr =    ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.936.0 | Size = 23352 bytes | Created Date = 13/04/2007 21:26:53 | Attr =    ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.936.0 | Size = 43176 bytes | Created Date = 13/04/2007 21:26:53 | Attr =    ]
AvgArCln.sys -> %System32%\drivers\AvgArCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 19/04/2007 13:31:23 | Attr =    ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 13/04/2007 12:13:58 | Attr =    ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1052 | Size = 102800 bytes | Created Date = 16/04/2007 10:30:15 | Attr =    ]
hosts11.bak -> %System32%\drivers\etc\hosts11.bak ->  [Ver =  | Size = 46289 bytes | Created Date = 17/04/2007 21:21:32 | Attr =    ]
Logged

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #62 on: April 21, 2007, 04:48:20 PM »
[Files/Folders - Modified Within 30 days]
A Startup Monitor and Startup Control Panel -> %SystemDrive%\A Startup Monitor and Startup Control Panel ->  [Folder | Modified Date = 15/04/2007 12:25:54 | Attr =    ]
Active Ports  monitor -> %SystemDrive%\Active Ports  monitor ->  [Folder | Modified Date = 15/04/2007 12:12:26 | Attr =    ]
Bittorrent -> %SystemDrive%\Bittorrent ->  [Folder | Modified Date = 14/04/2007 00:16:00 | Attr =    ]
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 211 bytes | Modified Date = 09/04/2007 01:45:42 | Attr =  HS]
capture -> %SystemDrive%\capture ->  [Folder | Modified Date = 18/04/2007 23:45:30 | Attr =    ]
CCleaner -> %SystemDrive%\CCleaner ->  [Folder | Modified Date = 14/04/2007 22:51:24 | Attr =    ]
cp1041.nls -> %SystemDrive%\cp1041.nls ->  [Ver =  | Size = 91648 bytes | Modified Date = 21/04/2007 13:19:42 | Attr =    ]
CWShredder -> %SystemDrive%\CWShredder ->  [Folder | Modified Date = 17/04/2007 20:29:02 | Attr =    ]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Modified Date = 19/04/2007 15:21:00 | Attr =    ]
F-Secure BlackLight Rootkit -> %SystemDrive%\F-Secure BlackLight Rootkit ->  [Folder | Modified Date = 19/04/2007 23:43:06 | Attr =    ]
hidownload -> %SystemDrive%\hidownload ->  [Folder | Modified Date = 10/04/2007 21:00:40 | Attr =    ]
hijackthis -> %SystemDrive%\hijackthis ->  [Folder | Modified Date = 19/04/2007 15:57:10 | Attr =    ]
Hostfile -> %SystemDrive%\Hostfile ->  [Folder | Modified Date = 18/04/2007 23:48:58 | Attr =    ]
IceSword -> %SystemDrive%\IceSword ->  [Folder | Modified Date = 19/04/2007 22:43:30 | Attr =    ]
initemp.dat -> %SystemDrive%\initemp.dat ->  [Ver =  | Size = 17556 bytes | Modified Date = 27/03/2007 16:19:48 | Attr =    ]
My Downloads -> %SystemDrive%\My Downloads ->  [Folder | Modified Date = 09/04/2007 14:31:12 | Attr =    ]
MyPhoto -> %SystemDrive%\MyPhoto ->  [Folder | Modified Date = 14/04/2007 00:29:12 | Attr =    ]
Process Explorer -> %SystemDrive%\Process Explorer ->  [Folder | Modified Date = 08/04/2007 22:12:06 | Attr =    ]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 20/04/2007 10:25:00 | Attr = R  ]
RootkitBuster -> %SystemDrive%\RootkitBuster ->  [Folder | Modified Date = 19/04/2007 23:04:20 | Attr =    ]
rootkitrevealer -> %SystemDrive%\rootkitrevealer ->  [Folder | Modified Date = 19/04/2007 22:59:14 | Attr =    ]
SafeXP -> %SystemDrive%\SafeXP ->  [Folder | Modified Date = 18/04/2007 02:42:02 | Attr =    ]
SDFix -> %SystemDrive%\SDFix ->  [Folder | Modified Date = 13/04/2007 01:47:50 | Attr =    ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 19/04/2007 14:16:46 | Attr =  HS]
TcpView -> %SystemDrive%\TcpView ->  [Folder | Modified Date = 20/04/2007 20:24:50 | Attr =    ]
temp -> %SystemDrive%\temp ->  [Folder | Modified Date = 27/03/2007 12:49:28 | Attr =    ]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 20/04/2007 21:58:38 | Attr =    ]
winks -> %SystemDrive%\winks ->  [Folder | Modified Date = 27/03/2007 17:38:28 | Attr =    ]
$NtUninstallWIC$ -> %SystemRoot%\$NtUninstallWIC$ ->  [Folder | Modified Date = 04/04/2007 15:45:24 | Attr =  H ]
AppPatch -> %SystemRoot%\AppPatch ->  [Folder | Modified Date = 13/04/2007 19:38:44 | Attr =    ]
assembly -> %SystemRoot%\assembly ->  [Folder | Modified Date = 04/04/2007 20:51:42 | Attr = R S]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 ->  [Folder | Modified Date = 14/04/2007 18:24:02 | Attr =    ]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 21/04/2007 13:16:30 | Attr =   S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 19/04/2007 14:17:32 | Attr =   S]
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Modified Date = 19/04/2007 14:16:50 | Attr =    ]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 08/04/2007 15:18:38 | Attr =    ]
Iedit.INI -> %SystemRoot%\Iedit.INI ->  [Ver =  | Size = 30 bytes | Modified Date = 09/04/2007 23:03:46 | Attr =    ]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 15/04/2007 12:28:10 | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 18/04/2007 20:53:54 | Attr =  HS]
Microsoft.NET -> %SystemRoot%\Microsoft.NET ->  [Folder | Modified Date = 04/04/2007 20:51:08 | Attr =    ]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 16/04/2007 20:48:36 | Attr =    ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 21/04/2007 13:45:28 | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 12/04/2007 20:10:46 | Attr =  H ]
RegisteredPackages -> %SystemRoot%\RegisteredPackages ->  [Folder | Modified Date = 08/04/2007 15:18:46 | Attr =    ]
Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 14/04/2007 22:14:04 | Attr =    ]
repair -> %SystemRoot%\repair ->  [Folder | Modified Date = 14/04/2007 21:25:28 | Attr =    ]
security -> %SystemRoot%\security ->  [Folder | Modified Date = 18/04/2007 03:18:56 | Attr =    ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution ->  [Folder | Modified Date = 13/04/2007 19:44:02 | Attr =    ]
Sun -> %SystemRoot%\Sun ->  [Folder | Modified Date = 13/04/2007 11:19:44 | Attr =    ]
system -> %SystemRoot%\system ->  [Folder | Modified Date = 13/04/2007 19:44:04 | Attr =    ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 285 bytes | Modified Date = 18/04/2007 21:45:46 | Attr =    ]
system32 -> %System32% ->  [Folder | Modified Date = 20/04/2007 10:24:50 | Attr =    ]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 21/04/2007 13:20:44 | Attr =    ]
uninstall -> %SystemRoot%\uninstall ->  [Folder | Modified Date = 27/03/2007 16:12:40 | Attr =    ]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 819 bytes | Modified Date = 15/04/2007 14:33:06 | Attr =    ]
WinSxS -> %SystemRoot%\WinSxS ->  [Folder | Modified Date = 04/04/2007 15:47:20 | Attr =    ]
WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx ->  [Ver =  | Size = 316640 bytes | Modified Date = 08/04/2007 15:18:14 | Attr =    ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 21/04/2007 13:16:42 | Attr =  H ]
ActiveScan -> %System32%\ActiveScan ->  [Folder | Modified Date = 13/04/2007 23:08:32 | Attr =    ]
amcompat.tlb -> %System32%\amcompat.tlb ->  [Ver =  | Size = 16832 bytes | Modified Date = 08/04/2007 15:21:00 | Attr =    ]
CatRoot -> %System32%\CatRoot ->  [Folder | Modified Date = 30/03/2007 11:13:26 | Attr =    ]
CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 16/04/2007 11:11:28 | Attr =    ]
config -> %System32%\config ->  [Folder | Modified Date = 13/04/2007 19:44:32 | Attr =    ]
CONFIG.NT -> %System32%\CONFIG.NT ->  [Ver =  | Size = 2626 bytes | Modified Date = 13/04/2007 22:26:54 | Attr =    ]
dllcache -> %System32%\dllcache ->  [Folder | Modified Date = 08/04/2007 15:18:50 | Attr = RHS]
drivers -> %System32%\drivers ->  [Folder | Modified Date = 20/04/2007 11:11:56 | Attr =    ]
DRVSTORE -> %System32%\DRVSTORE ->  [Folder | Modified Date = 27/03/2007 12:41:54 | Attr =    ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT ->  [Ver =  | Size = 122928 bytes | Modified Date = 11/04/2007 00:16:22 | Attr =    ]
Help.ico -> %System32%\Help.ico ->  [Ver =  | Size = 1406 bytes | Modified Date = 13/04/2007 18:56:00 | Attr =    ]
nscompat.tlb -> %System32%\nscompat.tlb ->  [Ver =  | Size = 23392 bytes | Modified Date = 08/04/2007 15:21:00 | Attr =    ]
NtmsData -> %System32%\NtmsData ->  [Folder | Modified Date = 14/04/2007 21:39:04 | Attr =    ]
nvapps.xml -> %System32%\nvapps.xml ->  [Ver =  | Size = 88566 bytes | Modified Date = 21/04/2007 13:16:48 | Attr =    ]
pavas.ico -> %System32%\pavas.ico ->  [Ver =  | Size = 30590 bytes | Modified Date = 13/04/2007 18:56:00 | Attr =    ]
perfc009.dat -> %System32%\perfc009.dat ->  [Ver =  | Size = 58712 bytes | Modified Date = 04/04/2007 15:49:44 | Attr =    ]
perfh009.dat -> %System32%\perfh009.dat ->  [Ver =  | Size = 392604 bytes | Modified Date = 04/04/2007 15:49:44 | Attr =    ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI ->  [Ver =  | Size = 404586 bytes | Modified Date = 04/04/2007 15:49:44 | Attr =    ]
PerfStringBackup.TMP -> %System32%\PerfStringBackup.TMP ->  [Ver =  | Size = 458776 bytes | Modified Date = 18/04/2007 02:38:16 | Attr =    ]
Restore -> %System32%\Restore ->  [Folder | Modified Date = 19/04/2007 14:16:46 | Attr =    ]
Uninstall.ico -> %System32%\Uninstall.ico ->  [Ver =  | Size = 2550 bytes | Modified Date = 13/04/2007 18:56:00 | Attr =    ]
wbem -> %System32%\wbem ->  [Folder | Modified Date = 13/04/2007 19:46:54 | Attr =    ]
wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 21/04/2007 12:37:08 | Attr =    ]
etc -> %System32%\drivers\etc ->  [Folder | Modified Date = 17/04/2007 22:29:58 | Attr =    ]
ndis.sys -> %System32%\drivers\ndis.sys ->  [Ver =  | Size = 281348 bytes | Modified Date = 12/04/2007 20:12:04 | Attr =    ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1052 | Size = 102800 bytes | Modified Date = 19/04/2007 23:01:24 | Attr =    ]
hosts.bak -> %System32%\drivers\etc\hosts.bak ->  [Ver =  | Size = 46439 bytes | Modified Date = 17/04/2007 22:19:44 | Attr =    ]
hosts10.bak -> %System32%\drivers\etc\hosts10.bak ->  [Ver =  | Size = 46275 bytes | Modified Date = 17/04/2007 22:18:38 | Attr =    ]
hosts11.bak -> %System32%\drivers\etc\hosts11.bak ->  [Ver =  | Size = 46289 bytes | Modified Date = 17/04/2007 22:21:34 | Attr =    ]
Logged

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #63 on: April 21, 2007, 04:48:48 PM »
[File String Scan - Non-Microsoft Only]
UPX! , UPX0 ,  -> %SystemDrive%\cp1041.nls ->  [Ver =  | Size = 91648 bytes | Modified Date = 21/04/2007 13:19:42 | Attr =    ]
UPX! , UPX0 ,  -> %SystemRoot%\daemon.dll ->  [Ver = 3.47.0.0 | Size = 69120 bytes | Modified Date = 22/08/2004 18:04:56 | Attr =    ]
PECompact2 , qoologic , SAHAgent ,  -> %SystemRoot%\lpt$vpn.735 ->  [Ver =  | Size = 15382755 bytes | Modified Date = 18/07/2005 14:02:30 | Attr =    ]
UPX! , UPX0 ,  -> %SystemRoot%\SecLock.exe ->  [Ver =  | Size = 23406 bytes | Modified Date = 07/08/1999 15:53:26 | Attr =    ]
UPX! , UPX0 ,  -> %SystemRoot%\Set.exe ->  [Ver =  | Size = 8945 bytes | Modified Date = 07/08/1999 15:54:20 | Attr =    ]
UPX! , UPX0 ,  -> %SystemRoot%\tsc.exe -> Trend Micro Inc. [Ver = 3.9.0.1020 | Size = 170053 bytes | Modified Date = 19/03/2005 21:33:00 | Attr =    ]
UPX! , UPX0 ,  -> %SystemRoot%\Unwash5.exe ->  [Ver =  | Size = 44032 bytes | Modified Date = 17/05/2004 05:05:18 | Attr =    ]
PECompact2 , qoologic , SAHAgent ,  -> %SystemRoot%\VPTNFILE.735 ->  [Ver =  | Size = 15382755 bytes | Modified Date = 18/07/2005 14:02:30 | Attr =    ]
UPX! , aspack ,  -> %SystemRoot%\vsapi32.dll -> Trend Micro Inc. [Ver = 7.510-1002 | Size = 1044560 bytes | Modified Date = 24/03/2005 10:41:38 | Attr =    ]
UPX! , UPX0 ,  -> %System32%\AdjMmsEng.dll -> MultiMedia Soft [Ver = 5, 3, 0, 1 | Size = 659968 bytes | Modified Date = 21/07/2006 21:14:44 | Attr =    ]
UPX! , UPX0 ,  -> %System32%\aswBoot.exe ->  [Ver = 4, 7, 936, 0 | Size = 689280 bytes | Modified Date = 15/01/2007 17:32:08 | Attr =    ]
UPX! , UPX0 ,  -> %System32%\avisynth.dll -> The Public [Ver = 2, 5, 6, 0 | Size = 308224 bytes | Modified Date = 28/10/2005 18:44:12 | Attr =    ]
UPX! , UPX0 ,  -> %System32%\CoreAAC.ax ->  [Ver = 1, 1, 0, 642 | Size = 167936 bytes | Modified Date = 09/07/2004 10:47:04 | Attr = RHS]
UPX! , UPX0 ,  -> %System32%\cpuinf32.dll ->  [Ver =  | Size = 9216 bytes | Modified Date = 17/09/2001 13:20:02 | Attr =    ]
PEC2 ,  -> %System32%\dfrg.msc ->  [Ver =  | Size = 41397 bytes | Modified Date = 23/08/2001 13:00:00 | Attr =    ]
PEC2 , PECompact2 ,  -> %System32%\divx.dll -> DivX, Inc. [Ver = 6.4.0.51 | Size = 635486 bytes | Modified Date = 02/10/2006 22:04:40 | Attr =    ]
aspack ,  -> %System32%\HDBHO.dll ->  [Ver =  | Size = 208896 bytes | Modified Date = 27/03/2003 07:37:34 | Attr =    ]
UPX! , UPX0 ,  -> %System32%\Lame.exe ->  [Ver =  | Size = 145408 bytes | Modified Date = 06/11/2005 00:34:50 | Attr =    ]
UPX! , UPX0 ,  -> %System32%\OggEnc.exe ->  [Ver =  | Size = 157696 bytes | Modified Date = 19/07/2002 17:48:22 | Attr =    ]
qoologic , aspack , SAHAgent , winsync ,  -> %System32%\pav.sig ->  [Ver =  | Size = 9659839 bytes | Modified Date = 23/03/2005 13:52:14 | Attr =    ]
Thawte Consulting ,  -> %System32%\pxcpya64.exe -> Sonic Solutions [Ver = 1.00.35a | Size = 63144 bytes | Modified Date = 25/08/2006 04:47:00 | Attr =    ]
Thawte Consulting ,  -> %System32%\pxhpinst.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 67240 bytes | Modified Date = 25/08/2006 04:47:00 | Attr =    ]
Thawte Consulting ,  -> %System32%\pxinsa64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 62632 bytes | Modified Date = 25/08/2006 04:47:00 | Attr =    ]
Thawte Consulting ,  -> %System32%\pxinsi64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 115880 bytes | Modified Date = 25/08/2006 04:47:00 | Attr =    ]
UPX! , UPX0 ,  -> %System32%\python23.dll ->  [Ver =  | Size = 369664 bytes | Modified Date = 08/02/2005 16:23:10 | Attr =    ]
winsync ,  -> %System32%\wbdbase.deu ->  [Ver =  | Size = 1309184 bytes | Modified Date = 23/08/2001 13:00:00 | Attr =    ]
WSUD , UPX0 ,  -> %System32%\dllcache\hwxjpn.dll ->  [Ver =  | Size = 13463552 bytes | Modified Date = 23/08/2001 13:00:00 | Attr =    ]
PTech ,  -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 04/08/2004 06:41:38 | Attr =    ]
qoologic , PTech , SAHAgent , abetterinternet.com , web-nex , ad-w-a-r-e.com ,  -> %System32%\drivers\etc\hosts ->  [Ver =  | Size = 568096 bytes | Modified Date = 17/04/2007 22:28:56 | Attr =    ]

< End of report >
Logged

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #64 on: April 21, 2007, 05:00:36 PM »
Quote
I believe the email problem is solved,   no the only way i could stop it was disabling avast at start up
You need to have some resident antivirus running. 

The reason you're seeing the avast! email provider in your firewall is because the outgoing email goes through it as a proxy.   Avast! is not the source of the email - there is an underlying process responsible for that that we have yet to identify.

Please turn avast! back on and set the email heuristics to high.

Then post the addiitonal logs.
Logged

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #65 on: April 21, 2007, 05:14:36 PM »
hi mauserme

ok i'll restart avast, reboot and put heuristics to high and see what happens

I've tried to find a copy of WinPFind without any look all downloads point to
http://www.bleepingcomputer.com/files/winpfind.php   which doesnt exist now

Logged

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #66 on: April 21, 2007, 05:20:46 PM »
Quote
Modified Date = 04/08/2004 06:41:38 | Attr =    ]
qoologic , PTech , SAHAgent , abetterinternet.com , web-nex , ad-w-a-r-e.com ,  -> %System32%\drivers\etc\hosts ->  [Ver =  | Size = 568096 bytes | Modified Date = 17/04/2007 22:28:56 | Attr =    ]

Are you getting pop ups from unknown programs warning of spyware/adware infection?
Logged

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #67 on: April 21, 2007, 05:35:23 PM »
Quote
Are you getting pop ups from unknown programs warning of spyware/adware infection?


no,  but I use windows popup blocker

and stop a lot of ad's with the hosts file
Logged

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Avasts been hijack please help
« Reply #68 on: April 21, 2007, 05:43:40 PM »
Quote from: UK_Sean on April 21, 2007, 05:35:23 PM
and stop a lot of ad's with the hosts file
Which program do you use for hosts file?
Logged
The best things in life are free.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avasts been hijack please help
« Reply #69 on: April 21, 2007, 06:10:30 PM »
Analysing
Logged

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #70 on: April 21, 2007, 06:13:23 PM »
Quote
Which program do you use for hosts file?

I did use Host File Checker 2.2 but since this infection it screw it up
when I tried to open the host file it would be looking for SmartSound Quicktracks Plugin
or something like that. So I made a new one with HijackThis tools instead.
Logged

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #71 on: April 21, 2007, 06:15:11 PM »
Should there be 4 ashmaiSv.exe LISTENING  ?

Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avasts been hijack please help
« Reply #72 on: April 21, 2007, 06:30:20 PM »
Here is the fix but there is very little there remnants of the downloader and coolwebsearch a little smitfraud and thats it

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Quote
[Win32 Services - Non-Microsoft Only]
YN -> (GMGSNLREI) GMGSNLREI [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\Sean\LOCALS~1\Temp\GMGSNLREI.exe
YN -> (MHU) MHU [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\Sean\LOCALS~1\Temp\MHU.exe
NY -> HKCU: Start Page -> about:blank
YY -> &Download with &DAP -> %ProgramFiles%\DAP\dapextie.htm
YN -> &Get Gutcheck -> Reg Data - Value does not exist
YY -> Download &all with DAP -> %ProgramFiles%\DAP\dapextie2.htm
YY -> Download All Files by HiDownload -> %ProgramFiles%\HiDownload\HDGetAll.htm
NY -> about -> 4 = Restricted sites (Not a Default Protocol)
NY -> about: -> 4 = Restricted sites (Not a Default Protocol)
NY -> mhtml -> 4 = Restricted sites (Not a Default Protocol)
[Files/Folders - Created Within 30 days]
YY -> Iedit.INI -> %SystemRoot%\Iedit.INI
NY -> cp1041.nls -> %SystemDrive%\cp1041.nls
NY -> hidownload -> %SystemDrive%\hidownload


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89116
  • No support PMs thanks
Re: Avasts been hijack please help
« Reply #73 on: April 21, 2007, 06:31:44 PM »
Quote from: UK_Sean on April 21, 2007, 06:15:11 PM
Should there be 4 ashmaiSv.exe LISTENING  ?

Yes it is listening on the local host ports that it intercepts email on in order to scan it before it is sent or received in your inbox. You will notice that is all local IP addresses, 127.0.0.1.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #74 on: April 21, 2007, 07:30:03 PM »
hi essexboy

I did what you said and after about 15 mins of nothing happening I click on the progam and it said

at the top not responding,   I did a reboot but the explorer still there. I took a picture of it


Just to let you all know I've deleted
C:\WINDOWS\unvise32.exe
C:\WINDOWS\unvise32qt.exe
C:\WINDOWS\Setup1.exe

And change these from dat file to bak files                                                                         zgrvbnzmrv_nav.dat ,  zgrvbnzmrv_navps.dat .zgrvbnzmrv.dat ,



Doing a search on checkip.dyndns.org


I came accross this site

http://www.coolmon.org/extensions/extension.php?id=35


External IP grabbed from checkip.dyndns.org

short: Grab your external IP (how your IP looks from the internet) from checkip.dyndns.org - maintainer: Bob_2k
last updated: 17:54 2003n 19. October, 2003


Hello, i have made a little Application which shows the External IP in a textbox. Its Codet in VB 6.0 You can Download it at: http://ringwrath.ja-nee.de/DL/GetExternalIP.exe
« Last Edit: April 21, 2007, 07:35:57 PM by UK_Sean »
Logged
Pages: 1 ... 3 4 [5] 6 7 ... 10   Go Up
« previous next »