Post by: asiankid on July 27, 2007, 01:36:59 PM
Logfile of HijackThis v1.99.1
Scan saved at 2:33:19 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Rar$EX17.141\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Rar$EX00.203\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [j6201035] rundll32 C:\WINDOWS\system32\j6201035.dll sook
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\xhayksms.dll",realset
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab (http://\"http://www.tricksteronline.com/control/tricksterActiveX.cab\")
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab (http://\"http://www.tricksteronline.com/control/KALogoutComponent.cab\")
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsjch.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
Post by: guestolo on July 27, 2007, 06:23:45 PM
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop, we will need it in a bit
Download and save [color=\"red\"]Brute Force Uninstaller[/color] (http://\"http://www.merijn.org/files/bfu.zip\")[/b] to the desktop
- Right click the BFU folder on your desktop, and choose Extract All
- Click "Next"
- In the box to choose where to extract the files to, click "Browse"
- Click on the + sign next to "My Computer"
- Click on "Local Disk (C:) or whatever your primary drive is
- Click "Make New Folder"
- Type in BFU
- Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
Called BFU
So you now have C:\BFU
Right click on bfu.zip and choose Extract Files...and choose the C:\BFU folder destination path
[color=\"red\"]RIGHT-CLICK HERE[/color] (http://\"http://metallica.geekstogo.com/alcanshorty.bfu\")[/b] and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"red\"]Alcan worm remover[/color].
Save it then transfer to the
same folder you made earlier (C:\BFU).
Go to Start > My Computer and navigate to the C:\BFU folder.
- Start the Brute Force Uninstaller by doubleclicking BFU.exe
- Next to the scriptline to execute field click the folder icon (http://metallica.geekstogo.com/foldericon.png)
and select alcanshorty.bfu - Press Execute and let it do it's job. (You ought to see a progress bar if you did this correctly.)
- Wait for the complete script execution box to pop up and press OK.
- Press exit to terminate the BFU program.
Can you boot to Normal windows please
Back in Windows
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Can you additionally do the following
Download Hijackthis 2.0.2 from my signature below
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install
Hijackthis v2.0.2 will open
Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum
Also include the log from Combofix located here>>C:\Combofix.txt
Post by: asiankid on July 27, 2007, 08:22:30 PM
"Next to the scriptline to execute field click the folder icon and select alcanshorty.bfu"
because I can't find "alcanshorty.bfu"
Post by: guestolo on July 27, 2007, 08:30:54 PM
Did you do that step?
If you did
Navigate to C:\BFU folder and open it
You may have save alcanshorty.bfu with a .txt extension
so it may look like the following
C:\BFU\alcanshorty.bfu.txt
If it is, can you right click on alcanshorty.bfu.txt and rename it to alcanshorty.bfu
Eliminate the .txt please, then try again
NOTE: I'm on my way out the door for dinner soon
If you have troubles with a step, carry on with the remainder of the instructions
Post by: asiankid on July 27, 2007, 09:04:24 PM
"HP_Administrator" - 2007-07-27 21:52:57 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\abjfliew.dll
C:\WINDOWS\system32\cuepmxrp.dll
C:\WINDOWS\system32\ennaqmha.dll
C:\WINDOWS\system32\fhbfsrps.dll
C:\WINDOWS\system32\fuvtrnxh.dll
C:\WINDOWS\system32\gdqnokdh.dll
C:\WINDOWS\system32\gsnaadty.dll
C:\WINDOWS\system32\ijimgiwo.dll
C:\WINDOWS\system32\jatvfawe.dll
C:\WINDOWS\system32\javkiuvo.dll
C:\WINDOWS\system32\jcoojhid.dll
C:\WINDOWS\system32\knajafbu.dll
C:\WINDOWS\system32\mqmctvsk.dll
C:\WINDOWS\system32\mtgcpaav.dll
C:\WINDOWS\system32\sfmtkiin.dll
C:\WINDOWS\system32\tmp31F.tmp.dll
C:\WINDOWS\system32\tmp3BC.tmp.dll
C:\WINDOWS\system32\tsgbdqeq.dll
C:\WINDOWS\system32\viavejlq.dll
C:\WINDOWS\system32\wlyluqvo.dll
C:\WINDOWS\system32\wqovnypm.dll
C:\WINDOWS\system32\xyxkgvky.dll
C:\WINDOWS\jkkjkh.dll
C:\WINDOWS\khgday.dll
C:\WINDOWS\mliged.dll
C:\WINDOWS\system32\weilfjba.ini
C:\WINDOWS\system32\ytdaansg.ini
C:\WINDOWS\system32\owigmiji.ini
C:\WINDOWS\system32\mpynvoqw.ini
C:\WINDOWS\hkjkkj.ini
C:\WINDOWS\yadghk.ini
C:\WINDOWS\degilm.ini
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\autorun.inf
C:\DOCUME~1\HP_ADM~1\APPLIC~1.\addon.dat
C:\DOCUME~1\HP_ADM~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\S858EZKA\www.broadcaster.com
C:\DOCUME~1\HP_ADM~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\HP_ADM~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\racle~1
C:\WINDOWS\IA
C:\WINDOWS\system32\bnyqhyv.dat
C:\WINDOWS\system32\bnyqhyv.exe
C:\WINDOWS\system32\bnyqhyv_nav.dat
C:\WINDOWS\system32\bnyqhyv_navps.dat
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\uzcx.exe
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\tmp31F.tmp.dll
C:\WINDOWS\system32\tmp3BC.tmp.dll
C:\WINDOWS\system32\tmp3F5.tmp.dll
C:\WINDOWS\system32\tmp8B2.tmp.dll
C:\WINDOWS\system32\tmpC12.tmp.dll
C:\WINDOWS\system32\tmpF10.tmp.dll
C:\WINDOWS\ufdata2000.log
d:\autorun.inf
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core
((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 )))))))))))))))))))))))))))))))
2007-07-27 21:52 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-27 21:44 <DIR> d-------- C:\bintheredunthat
2007-07-27 21:17 <DIR> d-------- C:\BFU
2007-07-15 11:34 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-14 15:18 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-07-14 15:18 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-07-12 23:38 <DIR> d-------- C:\Program Files\America's Army Server Manager
2007-07-11 18:25 <DIR> d-------- C:\Program Files\Free Download Manager
2007-07-07 21:24 <DIR> d-------- C:\Program Files\EA GAMES
2007-07-07 21:17 <DIR> d-------- C:\NVIDIA
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-28 01:50:08 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Xfire
2007-07-27 21:54:34 -------- d-----w C:\Program Files\WarRock
2007-07-27 21:35:14 -------- d-s---w C:\Program Files\Xfire
2007-07-27 17:45:40 -------- d-sh--w C:\Program Files\Free KGB Key Logger
2007-07-27 17:45:13 -------- d-----w C:\Program Files\music_now
2007-07-27 00:57:26 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Azureus
2007-07-13 03:51:08 -------- d-----w C:\Program Files\LimeWire
2007-07-13 03:39:03 -------- d-----w C:\Program Files\America's Army
2007-07-13 01:38:28 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
2007-07-10 05:20:51 4,442 ----a-w C:\WINDOWS\mozver.dat
2007-07-08 01:24:58 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-08 01:17:07 -------- d-----w C:\Program Files\DaemonTools_WhenUSave_Installer
2007-06-28 22:14:35 -------- d-----w C:\Program Files\Azureus
2007-06-26 05:32:13 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\style bind
2007-06-21 18:55:13 -------- d-----w C:\Program Files\eMule
2007-06-21 14:49:45 45,568 ----a-w C:\WINDOWS\system32\dsupl.exe
2007-06-21 05:08:42 2,472 ----a-w C:\clean.bat
2007-06-21 04:25:11 -------- d-----w C:\Program Files\Error Expert
2007-06-21 04:10:49 -------- d-----w C:\Program Files\Share_Accelerator_MM
2007-06-19 02:30:23 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Sonic
2007-06-19 02:30:11 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Leadertech
2007-06-18 21:44:30 -------- d-----w C:\Program Files\AIM6
2007-06-18 21:44:28 -------- d-----w C:\Program Files\Viewpoint
2007-06-17 16:47:03 686,840 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-17 16:26:22 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-17 16:10:40 -------- d--h--r C:\DOCUME~1\HP_ADM~1\APPLIC~1\SecuROM
2007-06-17 16:00:13 -------- d-----w C:\Program Files\Ubisoft
2007-06-17 15:12:45 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinRAR
2007-06-15 01:35:08 -------- d-----w C:\Program Files\Globe7
2007-06-13 15:25:17 -------- d-----w C:\Program Files\Common Files\stardock
2007-06-13 04:42:42 -------- d-----w C:\Program Files\BitTorrent
2007-06-13 04:03:14 -------- d-----w C:\Program Files\BitDownload
2007-06-13 03:57:58 -------- d-----w C:\Program Files\style bind
2007-06-11 01:51:48 1,859,254 --sh--w C:\WINDOWS\system32\mpqss.ini2
2007-06-11 00:46:35 1,848,069 --sh--w C:\WINDOWS\system32\mpqss.bak1
2007-06-10 00:46:25 1,849,579 --sha-w C:\WINDOWS\system32\mpqss.bak2
2007-06-09 13:17:01 131,124 ----a-w C:\WINDOWS\system32\xhayksms.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AvastSS.scr
2006-11-20 00:26:12 0 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat
2006-12-13 22:32:22 80 --sh--r C:\WINDOWS\system32\4090D52FA0.dll
2006-11-22 03:04:32 88 --sh--r C:\WINDOWS\system32\A02FD59040.sys
2006-11-22 03:04:32 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 00:54 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-01-24 15:15 C:\WINDOWS\system32\nwiz.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 19:35]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"ALCMTR"="ALCMTR.EXE" [2005-05-03 14:43 C:\WINDOWS\ALCMTR.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 15:15]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-29 11:09]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-07-10 21:07:46]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 14:40:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
R0 bb-run;Promise driver accelerator;C:\WINDOWS\system32\DRIVERS\bb-run.sys
R0 ftsata2;ftsata2;C:\WINDOWS\system32\DRIVERS\ftsata2.sys
R0 iaStor;Intel RAID Controller;C:\WINDOWS\system32\DRIVERS\iaStor.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys
R2 ARSVC;ARSVC;C:\WINDOWS\arservice.exe
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R3 aracpi;aracpi;C:\WINDOWS\system32\DRIVERS\aracpi.sys
R3 arkbcfltr;Microsoft PS2 Keyboard Filter;C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
R3 armoucfltr;Microsoft PS2 Mouse Filter;C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
R3 ARPolicy;ARPolicy;C:\WINDOWS\system32\DRIVERS\arpolicy.sys
R3 Ps2;PS2;C:\WINDOWS\system32\DRIVERS\PS2.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
R3 usbstor;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
S1 rxp;rxp;\??\C:\WINDOWS\system32\drivers\rxp.sys
S2 AFSEGTGF Windows Service;AFSEGTGF Windows Service;C:\WINDOWS\system32\dsjch.exe -service
S3 arhidfltr;MS Ar HID Filter Driver;C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\E:\INSTAL~E\Core\BVRPMPR5.SYS
S3 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 MR97310_USB_DUAL_CAMERA;CIF Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1);C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
S3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fd56ec3-0bf3-11dc-8a35-0c0c0c0c0c01}]
Auto\command- F:\tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98983a3a-5630-11db-87a0-001731c64165}]
Auto\command- tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7B566F8A-624C-2570-0B75-A27CDC7119CF}
C:\WINDOWS\NtmsData\klswd.exe s
Contents of the 'Scheduled Tasks' folder
2007-07-27 07:00:00 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-07-27 21:57:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-27 21:59:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-27 21:58
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 10:03:03 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab (http://\"http://www.tricksteronline.com/control/tricksterActiveX.cab\")
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab (http://\"http://www.tricksteronline.com/control/KALogoutComponent.cab\")
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsjch.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
Post by: guestolo on July 27, 2007, 10:38:54 PM
Read Everything I'm posting to you
Please do the following
Download Hijackthis 2.0.2 from my signature below
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install
Hijackthis v2.0.2 will open
Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum
In addition:
Download and unzip to your desktop InstalledPrograms.zip (http://\"http://www.billsway.com/vbspage/vbsfiles/InstalledPrograms.zip\")
Double click on InstalledPrograms.vbs
Click OK at the IP prompt and click YES to view the results now
A text file will open, can you copy and paste back here the whole contents
ALLOW this script to run if prompted by your AntiVirus
Post by: asiankid on July 27, 2007, 11:35:07 PM
Logfile of HijackThis v1.99.1
Scan saved at 12:32:49 AM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\HP_Administrator\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab (http://\"http://www.tricksteronline.com/control/tricksterActiveX.cab\")
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab (http://\"http://www.tricksteronline.com/control/KALogoutComponent.cab\")
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsjch.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
INSTALLED SOFTWARE (261) - HPA1520N - 7/28/2007 12:34:07 AM
Ad-Aware SE Personal Ver: 1.06
Adobe Flash Player 9 ActiveX Ver: 9
Adobe Reader 7.0.9 Ver: 7.0.9 Installed: 7/12/2007
Adobe Shockwave Player Ver: 10.1.3.18
Agere Systems PCI-SV92PP Soft Modem
AI RoboForm (All Users)
AIM 6
AiO_Scan Ver: 50.0.206.000 Installed: 5/6/2006
AiO_Scan_CDA Ver: 51.0.230.000 Installed: 5/6/2006
AiOSoftware Ver: 50.0.206.000 Installed: 5/6/2006
AiOSoftwareNPI Ver: 51.0.230.000 Installed: 5/6/2006
America's Army Ver: 2.8.1 Installed: 7/12/2007
Apple Software Update Ver: 1.0.2.1 Installed: 11/2/2006
avast! Antivirus Ver: 4.7
AVG Anti-Spyware 7.5
Azureus Vuze
Battlefield 2(tm) Installed: 7/7/2007
BufferChm Ver: 70.0.170.000 Installed: 5/6/2006
CameraDrivers Ver: 5.0.0.328 Installed: 5/6/2006
CameraDrivers Ver: 6.0.0.212 Installed: 5/6/2006
CameraUserGuides Ver: 6.0.0.212 Installed: 5/6/2006
CP_AtenaShokunin1Config Ver: 70.0.170.000 Installed: 5/6/2006
CP_CalendarTemplates1 Ver: 70.0.170.000 Installed: 5/6/2006
cp_LightScribeConfig Ver: 70.0.170.000 Installed: 5/6/2006
cp_OnlineProjectsConfig Ver: 70.0.170.000 Installed: 5/6/2006
CP_Package_Basic1 Ver: 70.0.170.000 Installed: 5/6/2006
CP_Package_Variety1 Ver: 70.0.170.000 Installed: 5/6/2006
CP_Package_Variety2 Ver: 70.0.170.000 Installed: 5/6/2006
CP_Package_Variety3 Ver: 70.0.170.000 Installed: 5/6/2006
CP_Panorama1Config Ver: 70.0.170.000 Installed: 5/6/2006
cp_PosterPrintConfig Ver: 70.0.170.000 Installed: 5/6/2006
cp_UpdateProjectsConfig Ver: 70.0.170.000 Installed: 5/6/2006
CueTour Ver: 70.0.170.000 Installed: 5/6/2006
CustomerResearchQFolder Ver: 1.00.0000 Installed: 10/2/2006
Destinations Ver: 70.0.170.000 Installed: 5/6/2006
DeviceFunctionQFolder Ver: 1.00.0000 Installed: 10/2/2006
Diner Dash Ver: 1.0 (Cracked By CoffeeMan)
Diner Dash Ver: WT005638
Diner Dash 2
DocProc Ver: 6.0.0.0 Installed: 5/6/2006
DocumentViewer Ver: 61.0.163.000 Installed: 5/6/2006
Enhanced Multimedia Keyboard Solution
Fax Ver: 50.0.206.000 Installed: 5/6/2006
Fax_CDA Ver: 51.0.230.000 Installed: 5/6/2006
High Definition Audio Driver Package - KB888111 Ver: 20040219.000000
HijackThis 1.99.1 Ver: 1.99.1
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393) Installed: 5/6/2006
Hotfix for Windows XP (KB888795) Ver: 3
Hotfix for Windows XP (KB891593) Ver: 2
Hotfix for Windows XP (KB893357) Ver: 2 Installed: 5/6/2006
Hotfix for Windows XP (KB895961) Ver: 1
Hotfix for Windows XP (KB899337) Ver: 5
Hotfix for Windows XP (KB899510) Ver: 1
Hotfix for Windows XP (KB902841) Ver: 1
Hotfix for Windows XP (KB906569) Ver: 2 Installed: 5/6/2006
Hotfix for Windows XP (KB912024) Ver: 2 Installed: 5/6/2006
Hotfix for Windows XP (KB935448) Ver: 1 Installed: 4/12/2007
HP Deskjet 3900 series Ver: 5.0
HP Deskjet Printer Preload Ver: 10.1.0 Installed: 5/6/2006
HP DigitalMedia Archive Ver: 2.0 Installed: 5/6/2006
HP Document Viewer 6.1 Ver: 6.1
HP DVD Play 2.1
HP Extended Capabilities 5.0 Ver: 5.0
HP Image Zone Express Ver: 1.5.1.29 Installed: 10/2/2006
HP Imaging Device Functions 7.0 Ver: 7.0
HP Photosmart 330,380,420,470,7800,8000,8200 Series Ver: 8.1
HP Photosmart Cameras 6.0 Ver: 6.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5 Ver: 6.5
HP PSC & OfficeJet 5.3.B
HP PSC & OfficeJet 6.1.A
HP Software Update Ver: 3.0.7.014 Installed: 5/6/2006
HP Solution Center and Imaging Support Tools 6.1 Ver: 6.1
HPDeskjet3900Series Ver: 1.00.0000 Installed: 10/2/2006
hpiCamDrvQFolder Ver: 6.0.0 Installed: 5/6/2006
HPPhotoSmartExpress Ver: 70.0.170.000 Installed: 5/6/2006
HPProductAssistant Ver: 61.0.163.000 Installed: 5/6/2006
HpSdpAppCoreApp Ver: 3.00.0000 Installed: 5/6/2006
Insaniquarium Deluxe Ver: WT005641
Insaniquarium Deluxe 1.0
InstantShareDevices Ver: 70.0.170.000 Installed: 5/6/2006
iTunes Ver: 7.0.2.16 Installed: 11/16/2006
Java(tm) SE Runtime Environment 6 Update 1 Ver: 1.6.0.10 Installed: 4/25/2007
LightScribe 1.4.84.1 Ver: 1.4.84.1 Installed: 5/6/2006
MapleStory
MarketResearch Ver: 53.0.13.000 Installed: 10/2/2006
Microsoft .NET Framework 1.0 Hotfix (KB887998) Installed: 8/6/2006
Microsoft .NET Framework 1.0 Hotfix (KB930494) Installed: 7/12/2007
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 7/12/2007
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Ver: 2.0.50727 Installed: 7/12/2007
Microsoft Away Mode Ver: 6.0.0160.0
Microsoft Office Professional Edition 2003 Ver: 11.0.5614.0 Installed: 11/11/2006
Microsoft Works Ver: 08.04.0623 Installed: 5/6/2006
Mozilla Firefox (2.0.0.5) Ver: 2.0.0.5 (en-US)
MSXML 4.0 SP2 (KB927978) Ver: 4.20.9841.0 Installed: 11/15/2006
MyCam CIF Ver: 2.02.0000 Installed: 10/29/2006
MySpaceIM Ver: 0.0.40.0 Installed: 11/2/2006
Nero Suite
NewCopy Ver: 50.0.206.000 Installed: 5/6/2006
NewCopy_CDA Ver: 51.0.230.000 Installed: 5/6/2006
NVIDIA Drivers
OptionalContentQFolder Ver: 1.00.0000 Installed: 5/6/2006
PanoStandAlone Ver: 61.0.163.000 Installed: 5/6/2006
PhotoGallery Ver: 70.0.170.000 Installed: 5/6/2006
Picasa 2 Ver: 2.0
PSPrinters08 Ver: 8.01.0000 Installed: 5/6/2006
PSTAPlugin Ver: 8.01.0000 Installed: 5/6/2006
QuickTime Ver: 7.1.3.170 Installed: 11/16/2006
RandMap Ver: 70.0.170.000 Installed: 5/6/2006
Readme Ver: 51.0.230.000 Installed: 5/6/2006
Realtek High Definition Audio Driver
Scan Ver: 6.0.0.0 Installed: 5/6/2006
ScannerCopy Ver: 6.0.0.0 Installed: 5/6/2006
Security Update for Microsoft .NET Framework 2.0 (KB928365) Ver: 2
Security Update for Step By Step Interactive Training (KB898458) Ver: 20050502.101010 Installed: 8/6/2006
Security Update for Step By Step Interactive Training (KB923723) Ver: 20050502.101010 Installed: 2/16/2007
Security Update for Windows Media Player 10 (KB911565) Installed: 5/6/2006
Security Update for Windows Media Player 10 (KB917734) Installed: 8/6/2006
Security Update for Windows Media Player 6.4 (KB925398) Installed: 12/14/2006
Security Update for Windows XP (KB890046) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB893756) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB896358) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB896422) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB896423) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB896424) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB896428) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB899587) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB899589) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB899591) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB900725) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB901017) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB901214) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB902400) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB904706) Ver: 2 Installed: 5/6/2006
Security Update for Windows XP (KB905414) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB905749) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB905915) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB908519) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB911562) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB911567) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB911927) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB912919) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB913580) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB914388) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB914389) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB916281) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB917159) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB917344) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB917422) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB917953) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB918118) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB918439) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB918899) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB919007) Ver: 1 Installed: 9/13/2006
Security Update for Windows XP (KB920213) Ver: 1 Installed: 11/15/2006
Security Update for Windows XP (KB920214) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB920670) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB920683) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB920685) Ver: 1 Installed: 9/13/2006
Security Update for Windows XP (KB921398) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB921883) Ver: 1 Installed: 8/8/2006
Security Update for Windows XP (KB922616) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB922760) Ver: 1 Installed: 11/15/2006
Security Update for Windows XP (KB922819) Ver: 1 Installed: 10/13/2006
Security Update for Windows XP (KB923191) Ver: 1 Installed: 10/13/2006
Security Update for Windows XP (KB923414) Ver: 1 Installed: 10/13/2006
Security Update for Windows XP (KB923689) Installed: 12/14/2006
Security Update for Windows XP (KB923694) Ver: 1 Installed: 12/14/2006
Security Update for Windows XP (KB923980) Ver: 1 Installed: 11/15/2006
Security Update for Windows XP (KB924191) Ver: 1 Installed: 10/13/2006
Security Update for Windows XP (KB924270) Ver: 1 Installed: 11/15/2006
Security Update for Windows XP (KB924496) Ver: 1 Installed: 10/13/2006
Security Update for Windows XP (KB924667) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB925454) Ver: 1 Installed: 12/14/2006
Security Update for Windows XP (KB925486) Ver: 1 Installed: 9/27/2006
Security Update for Windows XP (KB925902) Ver: 1 Installed: 4/4/2007
Security Update for Windows XP (KB926255) Ver: 1 Installed: 12/14/2006
Security Update for Windows XP (KB926436) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB927779) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB927802) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB928090) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB928255) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB928843) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB929123) Ver: 1 Installed: 6/14/2007
Security Update for Windows XP (KB929969) Ver: 1 Installed: 1/13/2007
Security Update for Windows XP (KB930178) Ver: 1 Installed: 4/12/2007
Security Update for Windows XP (KB931261) Ver: 1 Installed: 4/12/2007
Security Update for Windows XP (KB931768) Ver: 1 Installed: 5/9/2007
Security Update for Windows XP (KB931784) Ver: 1 Installed: 4/12/2007
Security Update for Windows XP (KB932168) Ver: 1 Installed: 4/12/2007
Security Update for Windows XP (KB933566) Ver: 1 Installed: 6/14/2007
Security Update for Windows XP (KB935839) Ver: 1 Installed: 6/14/2007
Security Update for Windows XP (KB935840) Ver: 1 Installed: 6/14/2007
Serif PhotoPlus 6.0 Ver: 6.00
Shockwave Director 10.1.3
SkinsHP1 Ver: 70.0.170.000 Installed: 5/6/2006
SlideShow Ver: 70.0.170.000 Installed: 5/6/2006
SlideShowMusic Ver: 70.0.170.000 Installed: 5/6/2006
SolutionCenter Ver: 61.0.163.000 Installed: 5/6/2006
Sonic Express Labeler Ver: 2.1.0 Installed: 5/6/2006
Sonic MyDVD Plus Ver: 6.2.0 Installed: 5/6/2006
Sonic RecordNow Audio Ver: 2.0.6 Installed: 5/6/2006
Sonic RecordNow Copy Ver: 2.0.6 Installed: 5/6/2006
Sonic RecordNow Data Ver: 2.0.6 Installed: 5/6/2006
Sonic Update Manager Ver: 3.0.0 Installed: 5/6/2006
Sonic_PrimoSDK Ver: 70.0.170.000 Installed: 5/6/2006
Spybot - Search & Destroy 1.4 Ver: 1.4
Status Ver: 61.0.163.000 Installed: 5/6/2006
Toolbox Ver: 61.0.163.000 Installed: 5/6/2006
TrayApp Ver: 61.0.163.000 Installed: 5/6/2006
Unload Ver: 7.0.0 Installed: 5/6/2006
Update for Windows Media Player 10 (KB913800) Installed: 8/6/2006
Update for Windows Media Player 10 (KB926251) Installed: 12/14/2006
Update for Windows XP (KB898461) Ver: 1 Installed: 8/6/2006
Update for Windows XP (KB900485) Ver: 2 Installed: 8/6/2006
Update for Windows XP (KB908531) Ver: 2 Installed: 8/6/2006
Update for Windows XP (KB910437) Ver: 1 Installed: 8/6/2006
Update for Windows XP (KB911280) Ver: 2 Installed: 8/6/2006
Update for Windows XP (KB912945) Ver: 1 Installed: 5/6/2006
Update for Windows XP (KB916595) Ver: 1 Installed: 8/6/2006
Update for Windows XP (KB920872) Ver: 1 Installed: 9/13/2006
Update for Windows XP (KB922582) Ver: 1 Installed: 9/13/2006
Update for Windows XP (KB927891) Ver: 3 Installed: 5/23/2007
Update for Windows XP (KB929338) Ver: 1 Installed: 3/14/2007
Update for Windows XP (KB930916) Ver: 1 Installed: 5/9/2007
Update for Windows XP (KB931836) Ver: 1 Installed: 2/16/2007
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
Viewpoint Media Player
WarRock Ver: 2.2 Installed: 3/10/2007
WebFldrs XP Ver: 9.50.7523 Installed: 8/30/2005
WebReg Ver: 61.0.163.000 Installed: 5/6/2006
Windows Driver Package - Camera Maker (MR97310_USB_DUAL_CAMERA) Image 05/02/2006 2.0.1.0 Ver: 2.0.1.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player Firefox Plugin Ver: 1.0.0.8 Installed: 6/1/2007
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB883667 Ver: 20040812.104354
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB887742 Ver: 20041103.095002
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB890859 Ver: 1 Installed: 8/6/2006
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Hotfix - KB892050 Ver: 3 Installed: 5/6/2006
Windows XP Hotfix - KB893066 Ver: 1 Installed: 5/6/2006
Windows XP Media Center Edition 2005 KB908246 Installed: 5/6/2006
Windows XP Media Center Edition 2005 KB912067 Installed: 5/6/2006
WinFlyer
Xfire (remove only)
Yahoo! Internet Mail
Yahoo! Messenger
Post by: guestolo on July 27, 2007, 11:48:46 PM
Delete all copies of Hijackthis you have right now
I want you to update your copy, let me post these instructions once again
Download Hijackthis 2.0.2 from my signature below
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install
Hijackthis v2.0.2 will open
Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum
Post by: asiankid on July 27, 2007, 11:57:50 PM
Scan saved at 12:56:35 AM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab (http://\"http://www.tricksteronline.com/control/tricksterActiveX.cab\")
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab (http://\"http://www.tricksteronline.com/control/KALogoutComponent.cab\")
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsjch.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 6549 bytes
Post by: guestolo on July 29, 2007, 09:53:17 PM
Can you do the following, you still have problems on this machine
Download tel.xls.exe_Remover.exe (http://\"http://www.techsupportforum.com/sectools/sUBs/tel.xls.exe_Remover.exe\")
and save it to desktop
Download and save to desktop
Flash_Disinfector.exe (http://\"http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe\")
We'll need both these tools in a bit
Reboot your computer into safe mode and sign in with your usual account
Ensure that if you have any flash drives>>Eg.. Usb thumbdrives
Plug them in
Double click on Flash_Disinfector.exe and follow the prompts
Double click on tel.xls.exe_Remover.exe and follow the prompts
Boot back to Normal Windows
* Download avz4en.zip from [color=\"#0000FF\"]HERE[/color] (http://\"http://z-oleg.com/avz4en.zip\")
* Unzip it to a folder on your desktop
* Double click on AVZ.exe
* Click on the webupdate icon (http://img155.imageshack.us/img155/6144/webupdatecn6.jpg)
* Click on the start button.
* Wait for the update to finish
* You will get a message that says "Automatic update completed successfully. Update has been successfully downloaded and installed"
* Click OK
* Under the search parameter tab, change the heuristic analysis mode to "Maximum heuristics level" and tick the box next to "Extended analysis
* Make sure that the following options are selected
- Detect API hooks and rootkits
- Check SPI / LSP settings
- Search for keyloggers
- Search for TCP/UDP ports used by trojan horses
* Under the search range tab, select the following options
- Check running processes
- Heuristic system check
* Click start and wait for the scan to finish
* When the scan has finished click on the save icon (http://img155.imageshack.us/img155/511/savetd5.jpg)
* Leave the default name of avz_log and save it to your desktop
* This will put the file avz_log.txt on your desktop, please post the contents of that file
Also include a fresh hijackthis log file
Post by: asiankid on July 30, 2007, 12:49:45 AM
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> AVZ Antiviral Toolkit log; AVZ version is 4.25
Scanning started at 7/30/2007 12:10:33 AM
Database loaded: 119334 signatures, 2 NN profile(s), 55 microprograms of healing, signature database released 29.07.2007 12:41
Heuristic microprograms loaded : 370
Digital signatures of system files loaded: 61046
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
1. Searching for rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section: .text
Analysis: ntdll.dll, export table found in section: .text
Analysis: user32.dll, export table found in section: .text
Analysis: advapi32.dll, export table found in section: .text
Analysis: ws2_32.dll, export table found in section: .text
Analysis: wininet.dll, export table found in section: .text
Analysis: rasapi32.dll, export table found in section: .text
Analysis: urlmon.dll, export table found in section: .text
Analysis: netapi32.dll, export table found in section: .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=0846E0)
Kernel ntkrnlpa.exe found in the memory at the address 804D7000
SDT = 8055B6E0
KiST = 80503940 (284)
Function NtCreateKey (29) intercepted (80622104->F72F80D0), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtEnumerateKey (47) intercepted (80622944->F72FDFB2), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtEnumerateValueKey (49) intercepted (80622BAE->F72FE340), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtOpenKey (77) intercepted (8062349A->F72F80B0), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtOpenProcess (7A) intercepted (805C9CFE->F7B7D8AC), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Function NtQueryKey (A0) intercepted (806237BE->F72FE418), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtQueryValueKey (B1) intercepted (806201BE->F72FE298), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtSetValueKey (F7) intercepted (806207C4->F72FE4AA), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtTerminateProcess (101) intercepted (805D1226->F7B7D812), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Functions checked: 284, intercepted: 9, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
The extended monitoring driver (AVZPM) is not installed, examination is not performed
2. Scanning memory
Number of processes found: 46
Analyzer - the process under analysis is 1372 C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer - the process under analysis is 1420 C:\Program Files\Alwil Software\Avast4\ashServ.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing?
Analyzer - the process under analysis is 260 C:\Program Files\QuickTime\qttask.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 288 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 364 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 380 C:\Program Files\AIM6\aim6.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing?
Analyzer - the process under analysis is 540 C:\Program Files\AIM6\aolsoftware.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing?
Analyzer - the process under analysis is 552 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing?
Analyzer - the process under analysis is 1236 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
[ES]:Application has no visible windows
Analyzer - the process under analysis is 2088 C:\WINDOWS\system32\PnkBstrA.exe
[ES]:Contains network functionality
[ES]:Capable of sending mail ?!
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer - the process under analysis is 2580 C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
[ES]:Contains network functionality
[ES]:Capable of sending mail ?!
[ES]:Listens TCP ports !
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing?
Analyzer - the process under analysis is 2800 C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
[ES]:Contains network functionality
[ES]:Listens TCP ports !
[ES]:Listens HTTP ports !
[ES]:Application has no visible windows
Analyzer - the process under analysis is 3836 C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Number of modules loaded: 410
Memory checking - complete
3. Scanning disks
Direct reading C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\cert8.db
Direct reading C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\history.dat
Direct reading C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\key3.db
Direct reading C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\urlclassifier2.sqlite
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-77b36199/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-77b36199/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-77b36199/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1ce941ce-677f182c/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1ce941ce-677f182c/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1ce941ce-677f182c/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\254ab48e-4babaa3e/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\254ab48e-4babaa3e/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\254ab48e-4babaa3e/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\2a68265a-787715d0/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\2a68265a-787715d0/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\2a68265a-787715d0/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-23dd0c56/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-23dd0c56/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-23dd0c56/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\41\3f27a9-3fd00faf/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\41\3f27a9-3fd00faf/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\41\3f27a9-3fd00faf/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-20bbb7fd.zip/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-20bbb7fd.zip/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-20bbb7fd.zip/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
Direct reading C:\Documents and Settings\HP_Administrator\Cookies\index.dat
Direct reading C:\Documents and Settings\HP_Administrator\Desktop\armyops280_win(1).exe
Direct reading C:\Documents and Settings\HP_Administrator\Desktop\armyops280_win.exe
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AOL OCP\AIM\Storage\data\asianvietsweetie\localStorage\common.cls
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\Cache\_CACHE_001_
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\Cache\_CACHE_002_
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\Cache\_CACHE_003_
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012007072320070730\index.dat
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012007072920070730\index.dat
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012007073020070731\index.dat
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hpodvd09.log
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~WRC0000.tmp
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OJEFMZ\adserver[1].php Cannot open file "C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OJEFMZ\adserver[1].php". The process cannot access the file because it is being used by another process
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OJEFMZ\adserver[2].php Cannot open file "C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OJEFMZ\adserver[2].php". The process cannot access the file because it is being used by another process
Direct reading C:\Documents and Settings\HP_Administrator\My Documents\1984..doc
Direct reading C:\Documents and Settings\HP_Administrator\My Documents\Azureus Downloads\AA281FullInstaller_BitTorrent.exe
Direct reading C:\Documents and Settings\HP_Administrator\My Documents\Azureus Downloads\Grand Theft Auto - San Andreas.iso
Direct reading C:\Documents and Settings\HP_Administrator\NTUSER.DAT
C:\Documents and Settings\HP_Administrator\Shared\E-40 ft. T-Pain- U and Dat .mp3 - Extension masking is detected(danger level 5%)
C:\Documents and Settings\HP_Administrator\Shared\young joc I_Know_U_See_It__Clean_ .mp3 - Extension masking is detected(danger level 5%)
C:\Documents and Settings\HP_Administrator\Shared\Yung Joc - (New Joc City) - 08 - I Know You See It .mp3 - Extension masking is detected(danger level 5%)
C:\Documents and Settings\HP_Administrator\Shared\Yung Joc - I Know You See It (Dirty) .mp3 - Extension masking is detected(danger level 5%)
Direct reading C:\Documents and Settings\LocalService\Cookies\index.dat
Direct reading C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Direct reading C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
Direct reading C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Direct reading C:\Documents and Settings\LocalService\NTUSER.DAT
Direct reading C:\Documents and Settings\NetworkService\Cookies\index.dat
Direct reading C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Direct reading C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Direct reading C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Direct reading C:\Documents and Settings\NetworkService\NTUSER.DAT
C:\hp\KBD\runHSC.exe >>> suspicion for AdvWare.Win32.VirtualBouncer.c ( 0044105C 00304E19 000EF470 00000000 16384)
C:\hp\recovery\wizard\fscommand\AppRecoveryLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\CreatorLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\RecordnowLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\RestoreLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\RTCDLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\RunLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\SysRecoveryLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\WizardLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
Direct reading C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db
Direct reading C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt
C:\Program Files\Diner Dash 2\ReflexiveArcade\Application.dat Invalid file - not a PKZip file
C:\Program Files\Diner Dash 2\ReflexiveArcade\Arcade.dat Invalid file - not a PKZip file
C:\QooBox\Quarantine\C\WINDOWS\system32\abjfliew.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.kg ( 0B99DBC7 01B1A046 0029D636 0023A4D6 131124)
C:\QooBox\Quarantine\C\WINDOWS\system32\cuepmxrp.dll.vir >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\QooBox\Quarantine\C\WINDOWS\system32\ennaqmha.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.kb ( 0B3135E1 015E435F 0027AE21 00250DA2 50745)
C:\QooBox\Quarantine\C\WINDOWS\system32\fhbfsrps.dll.vir >>> suspicion for AdvWare.Win32.BHO.v ( 0B634177 064B4968 0024BD1E 00280BC9 124436)
C:\QooBox\Quarantine\C\WINDOWS\system32\fuvtrnxh.dll.vir >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\QooBox\Quarantine\C\WINDOWS\system32\gdqnokdh.dll.vir >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\QooBox\Quarantine\C\WINDOWS\system32\gsnaadty.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B362F6C 01B7C443 0023F233 0023CD05 131124)
C:\QooBox\Quarantine\C\WINDOWS\system32\ijimgiwo.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B362F6C 01B7C443 0023F233 0023CD05 131124)
C:\QooBox\Quarantine\C\WINDOWS\system32\jatvfawe.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.ir ( 0D461F06 01A2B9DE 0029E2BB 00280214 49204)
C:\QooBox\Quarantine\C\WINDOWS\system32\javkiuvo.dll.vir >>> suspicion for Trojan.Win32.BHO.o ( 0C110628 005E5E84 0023A0B2 0025270C 55316)
C:\QooBox\Quarantine\C\WINDOWS\system32\jcoojhid.dll.vir >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\QooBox\Quarantine\C\WINDOWS\system32\mqmctvsk.dll.vir >>> suspicion for AdvWare.Win32.BHO.v ( 0BBC8AB8 0400D4A1 00248BCC 0028C2C4 125460)
C:\QooBox\Quarantine\C\WINDOWS\system32\mtgcpaav.dll.vir >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\QooBox\Quarantine\C\WINDOWS\system32\sfmtkiin.dll.vir >>> suspicion for Trojan.Win32.BHO.g ( 0AF37A9C 0175643C 0027A1EF 00255ECC 49204)
C:\QooBox\Quarantine\C\WINDOWS\system32\tsgbdqeq.dll.vir >>> suspicion for AdvWare.Win32.BHO.v ( 0B634177 064B4968 0024BD1E 00280BC9 124436)
C:\QooBox\Quarantine\C\WINDOWS\system32\viavejlq.dll.vir >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\QooBox\Quarantine\C\WINDOWS\system32\wlyluqvo.dll.vir >>> suspicion for AdvWare.Win32.BHO.v ( 0B9D9EDF 03ABBA0A 00286896 00280E64 125460)
C:\QooBox\Quarantine\C\WINDOWS\system32\wqovnypm.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B527BB8 01EFFACC 0024909E 002685D6 132660)
C:\QooBox\Quarantine\C\WINDOWS\system32\xyxkgvky.dll.vir >>> suspicion for Trojan.Win32.BHO.g ( 0B52CEDA 01568055 00263EE0 0023AF63 49204)
C:\QooBox\Quarantine\catchme2007-07-27_215729.57.zip/{ZIP}/core.sys >>> suspicion for Rootkit.Win32.Agent.eq ( 09467360 06A5F7CD 0025D115 00226578 72320)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP176\A0066604.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP180\A0076844.exe
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP181\A0076847.exe
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP181\A0076899.exe
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP181\A0079906.exe
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184\A0083913.dll >>> suspicion for AdvWare.Win32.Virtumonde.hb ( 0B98AB21 01F6F305 0025B262 00256691 132660)
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP188\A0096215.exe
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP189\A0101316.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP189\A0101317.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP191\A0106353.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B1B4526 01D07FDC 002689E8 0028E1FF 132660)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP196\A0111639.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B527BB8 01EFFACC 0024909E 002685D6 132660)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP203\A0117856.dll >>> suspicion for AdvWare.Win32.Virtumonde.kg ( 0B99DBC7 01B1A046 0029D636 0023A4D6 131124)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131360.scr >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131371.DLL >>>>> AdvWare.Win32.ToolBar.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131372.DLL >>>>> AdvWare.Win32.MyWebSearch.af
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131374.DLL >>>>> AdvWare.Win32.MyWebSearch.au
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131375.SCR >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131376.DLL >>>>> AdvWare.Win32.MyWebSearch.au
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131377.DLL >>>>> AdvWare.Win32.ToolBar.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131378.EXE >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131379.DLL >>>>> AdvWare.Win32.MyWebSearch.an
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131380.DLL >>>>> AdvWare.Win32.MyWebSearch.aq
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131381.DLL >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131384.DLL >>>>> AdvWare.Win32.IWon.a
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131388.DLL >>>>> AdvWare.ToolBar.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP215\A0132324.DLL >>> suspicion for AdvWare.Win32.MyWebSearch.as ( 0075D21B 00000000 00212D13 0023D2AA 57344)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP215\A0132329.EXE >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP215\A0132330.DLL >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134644.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134646.dll >>> suspicion for AdvWare.Win32.Virtumonde.kb ( 0B3135E1 015E435F 0027AE21 00250DA2 50745)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134647.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134649.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134653.dll >>> suspicion for AdvWare.Win32.Virtumonde.ir ( 0D461F06 01A2B9DE 0029E2BB 00280214 49204)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134654.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134659.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134661.dll >>> suspicion for Trojan.Win32.BHO.g ( 0AF37A9C 0175643C 0027A1EF 00255ECC 49204)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134666.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134668.dll >>> suspicion for AdvWare.Win32.BHO.v ( 0B9D9EDF 03ABBA0A 00286896 00280E64 125460)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134669.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B527BB8 01EFFACC 0024909E 002685D6 132660)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134670.dll >>> suspicion for Trojan.Win32.BHO.g ( 0B52CEDA 01568055 00263EE0 0023AF63 49204)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP224\A0134690.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0BF5787C 017E8DFB 00287344 00254D91 58420)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP224\A0135535.DLL >>> suspicion for Trojan.Win32.BHO.bd ( 0BF5787C 017E8DFB 00287344 00254D91 58420)
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP248\A0145569.exe
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156536.dll >>>>> Keylogger.Win32.KGBSpy.34
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156674.dll >>> suspicion for AdvWare.Win32.Virtumonde.kg ( 0B99DBC7 01B1A046 0029D636 0023A4D6 131124)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156675.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156676.dll >>> suspicion for AdvWare.Win32.Virtumonde.kb ( 0B3135E1 015E435F 0027AE21 00250DA2 50745)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156677.dll >>> suspicion for AdvWare.Win32.BHO.v ( 0B634177 064B4968 0024BD1E 00280BC9 124436)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156678.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156679.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156680.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B362F6C 01B7C443 0023F233 0023CD05 131124)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156681.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B362F6C 01B7C443 0023F233 0023CD05 131124)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156682.dll >>> suspicion for AdvWare.Win32.Virtumonde.ir ( 0D461F06 01A2B9DE 0029E2BB 00280214 49204)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156683.dll >>> suspicion for Trojan.Win32.BHO.o ( 0C110628 005E5E84 0023A0B2 0025270C 55316)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156684.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156686.dll >>> suspicion for AdvWare.Win32.BHO.v ( 0BBC8AB8 0400D4A1 00248BCC 0028C2C4 125460)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156687.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156688.dll >>> suspicion for Trojan.Win32.BHO.g ( 0AF37A9C 0175643C 0027A1EF 00255ECC 49204)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156689.dll >>> suspicion for AdvWare.Win32.BHO.v ( 0B634177 064B4968 0024BD1E 00280BC9 124436)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156690.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156691.dll >>> suspicion for AdvWare.Win32.BHO.v ( 0B9D9EDF 03ABBA0A 00286896 00280E64 125460)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156692.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B527BB8 01EFFACC 0024909E 002685D6 132660)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156693.dll >>> suspicion for Trojan.Win32.BHO.g ( 0B52CEDA 01568055 00263EE0 0023AF63 49204)
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP259\change.log
Direct reading C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{51C08E9B-857D-4E70-A6F4-EF26F1A870C1}.crmlog
Direct reading C:\WINDOWS\SchedLgU.Txt
Direct reading C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
C:\WINDOWS\system32\awtst.exe - Suspicion for Virus.Win32.PE_Type1(danger level 75%)
Direct reading C:\WINDOWS\system32\CatRoot2\edb.log
Direct reading C:\WINDOWS\system32\CatRoot2\tmp.edb
Direct reading C:\WINDOWS\system32\config\Antivirus.Evt
Direct reading C:\WINDOWS\system32\config\AppEvent.Evt
Direct reading C:\WINDOWS\system32\config\default
Direct reading C:\WINDOWS\system32\config\Media Ce.evt
Direct reading C:\WINDOWS\system32\config\SAM
Direct reading C:\WINDOWS\system32\config\SecEvent.Evt
Direct reading C:\WINDOWS\system32\config\SECURITY
Direct reading C:\WINDOWS\system32\config\software
Direct reading C:\WINDOWS\system32\config\SysEvent.Evt
Direct reading C:\WINDOWS\system32\config\system
Direct reading C:\WINDOWS\system32\drivers\sptd.sys
Direct reading C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
C:\WINDOWS\system32\xhayksms.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B362F6C 01B7C443 0023F233 0023CD05 131124)
Direct reading C:\WINDOWS\Temp\Perflib_Perfdata_58c.dat
Direct reading C:\WINDOWS\WindowsUpdate.log
D:\I386\DRV\APP32031\src\runHSC.exe >>> suspicion for AdvWare.Win32.VirtualBouncer.c ( 0044105C 00304E19 000EF470 00000000 16384)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\WINDOWS\system32\nview.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\nview.dll>>> Behavioral analysis:
1. Reacts to events: keyboard, window events, all events
2. Determines PID of current process
C:\WINDOWS\system32\nview.dll>>> Neural net: file with probability of 0.22% like a typical keyboard/mouse events interceptor
C:\Program Files\Xfire\xfire_toucan_26993.dll --> Suspicion for a Keylogger or Trojan DLL
C:\Program Files\Xfire\xfire_toucan_26993.dll>>> Behavioral analysis:
1. Reacts to events: keyboard, window events, all events
C:\Program Files\Xfire\xfire_toucan_26993.dll>>> Neural net: file with probability of 23.09% like a typical keyboard/mouse events interceptor
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
In the database: 317 port descriptions
Opened at this PC: 98 TCP ports and 46 UDP ports
>> Attention: Port 1116 UDP - Backdoor.Lurker (c:\program files\xfire\xfire.exe)
Note: Do NOT delete suspicious files, send them for analysis (see FAQ and Help for more details)
7. Heuristic system check
Checking complete
Files scanned: 500648, extracted from archives: 394229, malicious programs found 37
Scanning finished at 7/30/2007 1:43:54 AM
Time of scanning: 01:33:22
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info (http://\"http://virusinfo.info\") conference
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:59 AM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab (http://\"http://www.tricksteronline.com/control/tricksterActiveX.cab\")
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab (http://\"http://www.tricksteronline.com/control/KALogoutComponent.cab\")
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsjch.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 6614 bytes
Post by: guestolo on July 30, 2007, 08:16:29 AM
Do a "System scan only" with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Can we see what the 2 fixes repaired I had you run in safe mode
Do a fresh scan with Combofix please
When it's done, post the new log>>C:\Combofix.txt
Let me know how things are running
Post by: asiankid on July 30, 2007, 10:56:21 AM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />"HP_Administrator" - 2007-07-30 11:07:24 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\xhayksms.dll
C:\WINDOWS\system32\smskyahx.ini
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))
2007-07-30 01:41 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\SystemRequirementsLab
2007-07-29 23:45 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-29 23:40 <DIR> drahs---- C:\autorun.inf
2007-07-28 15:34 <DIR> d-------- C:\Program Files\DivX
2007-07-28 00:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-27 21:52 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-27 21:44 <DIR> d-------- C:\bintheredunthat
2007-07-27 21:17 <DIR> d-------- C:\BFU
2007-07-15 11:34 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-14 15:18 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-07-14 15:18 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-07-12 23:38 <DIR> d-------- C:\Program Files\America's Army Server Manager
2007-07-11 18:25 <DIR> d-------- C:\Program Files\Free Download Manager
2007-07-09 15:07 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-09 15:07 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-07 21:24 <DIR> d-------- C:\Program Files\EA GAMES
2007-07-07 21:17 <DIR> d-------- C:\NVIDIA
2007-06-21 14:47 <DIR> d-------- C:\Program Files\eMule
2007-06-21 10:49 45,568 --a------ C:\WINDOWS\system32\dsupl.exe
2007-06-21 01:08 2,472 --a------ C:\clean.bat
2007-06-21 00:19 <DIR> d-------- C:\Program Files\Error Expert
2007-06-20 22:52 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-06-18 22:30 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Sonic
2007-06-18 22:30 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Leadertech
2007-06-17 12:26 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-17 12:10 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-06-17 12:10 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-06-17 12:10 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-06-17 12:10 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-06-17 12:10 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-06-17 12:10 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-06-17 12:10 <DIR> dr-h----- C:\DOCUME~1\HP_ADM~1\APPLIC~1\SecuROM
2007-06-17 12:00 <DIR> d-------- C:\Program Files\Ubisoft
2007-06-17 11:42 <DIR> d-------- C:\Program Files\DaemonTools_WhenUSave_Installer
2007-06-17 11:38 686,840 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-17 11:12 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinRAR
2007-06-13 23:03 <DIR> d-------- C:\Program Files\Globe7
2007-06-13 00:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-13 00:25 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Azureus
2007-06-13 00:24 <DIR> d-------- C:\Program Files\Azureus
2007-06-12 23:57 <DIR> d-------- C:\Program Files\style bind
2007-06-09 19:09 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-09 19:09 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-09 19:09 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-09 19:09 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-09 19:09 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-09 19:09 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-09 19:08 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-08 17:56 1,859,254 ---hs---- C:\WINDOWS\system32\mpqss.ini2
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-30 15:49:09 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Xfire
2007-07-28 19:34:26 4,576 ----a-w C:\WINDOWS\mozver.dat
2007-07-27 21:54:34 -------- d-----w C:\Program Files\WarRock
2007-07-27 21:35:14 -------- d-s---w C:\Program Files\Xfire
2007-07-27 17:45:40 -------- d-sh--w C:\Program Files\Free KGB Key Logger
2007-07-27 17:45:13 -------- d-----w C:\Program Files\music_now
2007-07-13 03:51:08 -------- d-----w C:\Program Files\LimeWire
2007-07-13 03:39:03 -------- d-----w C:\Program Files\America's Army
2007-07-13 01:38:28 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
2007-07-08 01:24:58 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-26 05:32:13 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\style bind
2007-06-21 04:10:49 -------- d-----w C:\Program Files\Share_Accelerator_MM
2007-06-18 21:44:30 -------- d-----w C:\Program Files\AIM6
2007-06-18 21:44:28 -------- d-----w C:\Program Files\Viewpoint
2007-06-13 15:25:17 -------- d-----w C:\Program Files\Common Files\stardock
2007-06-13 04:42:42 -------- d-----w C:\Program Files\BitTorrent
2007-06-13 04:03:14 -------- d-----w C:\Program Files\BitDownload
2007-06-11 00:46:35 1,848,069 --sh--w C:\WINDOWS\system32\mpqss.bak1
2007-06-10 00:46:25 1,849,579 --sha-w C:\WINDOWS\system32\mpqss.bak2
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-11-20 00:26:12 0 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat
2006-12-13 22:32:22 80 --sh--r C:\WINDOWS\system32\4090D52FA0.dll
2006-11-22 03:04:32 88 --sh--r C:\WINDOWS\system32\A02FD59040.sys
2006-11-22 03:04:32 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 00:54 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-01-24 15:15 C:\WINDOWS\system32\nwiz.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 19:35]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 15:15]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-29 11:09]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-07-10 21:07:46]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 14:40:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
R0 bb-run;Promise driver accelerator;C:\WINDOWS\system32\DRIVERS\bb-run.sys
R0 ftsata2;ftsata2;C:\WINDOWS\system32\DRIVERS\ftsata2.sys
R0 iaStor;Intel RAID Controller;C:\WINDOWS\system32\DRIVERS\iaStor.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys
R2 ARSVC;ARSVC;C:\WINDOWS\arservice.exe
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R3 aracpi;aracpi;C:\WINDOWS\system32\DRIVERS\aracpi.sys
R3 arkbcfltr;Microsoft PS2 Keyboard Filter;C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
R3 armoucfltr;Microsoft PS2 Mouse Filter;C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
R3 ARPolicy;ARPolicy;C:\WINDOWS\system32\DRIVERS\arpolicy.sys
R3 Ps2;PS2;C:\WINDOWS\system32\DRIVERS\PS2.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
R3 usbstor;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
S1 rxp;rxp;\??\C:\WINDOWS\system32\drivers\rxp.sys
S2 AFSEGTGF Windows Service;AFSEGTGF Windows Service;C:\WINDOWS\system32\dsjch.exe -service
S3 arhidfltr;MS Ar HID Filter Driver;C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\E:\INSTAL~E\Core\BVRPMPR5.SYS
S3 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 MR97310_USB_DUAL_CAMERA;CIF Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1);C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
S3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fd56ec3-0bf3-11dc-8a35-0c0c0c0c0c01}]
Auto\command- F:\tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9666843c-22cb-11dc-8a66-0c0c0c0c0c01}]
Auto\command- tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98983a3a-5630-11db-87a0-001731c64165}]
Auto\command- tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7B566F8A-624C-2570-0B75-A27CDC7119CF}
C:\WINDOWS\NtmsData\klswd.exe s
Contents of the 'Scheduled Tasks' folder
2007-07-30 07:00:00 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-07-30 11:52:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-30 11:53:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 11:53
C:\ComboFix2.txt ... 2007-07-27 21:59
--- E O F ---
Post by: guestolo on July 30, 2007, 06:51:34 PM
Delete Combofix.exe on desktop
Download a fresh copy of Combofix from [color=\"#0000FF\"]HERE[/color] (http://\"http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe\")
Save it again to desktop
We'll need it in a bit
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- AFSEGTGF Windows Service
Double click on it---
In the drop down menu, change the startup type to Disabled
Apply it and then exit out of there
Open notepad and copy/paste the text in the quotebox below into it:
Quote
File::
C:\autorun.inf
C:\WINDOWS\system32\mpqss.ini2
C:\WINDOWS\system32\mpqss.bak1
C:\WINDOWS\system32\mpqss.bak2
C:\WINDOWS\system32\dsjch.exe
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
Folder::
C:\bintheredunthat
C:\BFU
C:\Program Files\DaemonTools_WhenUSave_Installer
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fd56ec3-0bf3-11dc-8a35-0c0c0c0c0c01}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9666843c-22cb-11dc-8a66-0c0c0c0c0c01}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98983a3a-5630-11db-87a0-001731c64165}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7B566F8A-624C-2570-0B75-A27CDC7119CF}]
Save this file with the name of
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScript.gif)
Take note the pic above
Drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
Could you also do the following
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
go to either of these links
http://www.virustotal.com/ (http://\"http://www.virustotal.com/\")
OR
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to the file on your harddrive
C:\WINDOWS\system32\dsupl.exe<-this file
Right click on the file, and choose Select>>or double click on it
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same for these files also
C:\WINDOWS\system32\4090D52FA0.dll
C:\WINDOWS\system32\A02FD59040.sys
NOTE: I see this in your combofix.txt
C:\Program Files\Free KGB Key Logger
Did you knowingly install this key logger? If not we should remove it
Post by: asiankid on July 30, 2007, 09:21:06 PM
ComboFix 07-07-31 - "HP_Administrator" 2007-07-30 21:19:25.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\autorun.inf
C:\BFU
C:\BFU\alcanshorty.bfu
C:\BFU\BFU.exe
C:\bintheredunthat
C:\Program Files\DaemonTools_WhenUSave_Installer
C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
C:\WINDOWS\system32\mpqss.bak1
C:\WINDOWS\system32\mpqss.bak2
C:\WINDOWS\system32\mpqss.ini2
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))
2007-07-30 01:41 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\SystemRequirementsLab
2007-07-29 23:45 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-28 15:34 <DIR> d-------- C:\Program Files\DivX
2007-07-28 00:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-27 21:52 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-15 11:34 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-14 15:18 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-07-14 15:18 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-07-12 23:38 <DIR> d-------- C:\Program Files\America's Army Server Manager
2007-07-11 18:25 <DIR> d-------- C:\Program Files\Free Download Manager
2007-07-09 15:07 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-09 15:07 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-07 21:24 <DIR> d-------- C:\Program Files\EA GAMES
2007-07-07 21:17 <DIR> d-------- C:\NVIDIA
2007-06-21 14:47 <DIR> d-------- C:\Program Files\eMule
2007-06-21 10:49 45,568 --a------ C:\WINDOWS\system32\dsupl.exe
2007-06-21 01:08 2,472 --a------ C:\clean.bat
2007-06-21 00:19 <DIR> d-------- C:\Program Files\Error Expert
2007-06-20 22:52 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-06-18 22:30 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Sonic
2007-06-18 22:30 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Leadertech
2007-06-17 12:26 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-17 12:10 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-06-17 12:10 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-06-17 12:10 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-06-17 12:10 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-06-17 12:10 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-06-17 12:10 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-06-17 12:10 <DIR> dr-h----- C:\DOCUME~1\HP_ADM~1\APPLIC~1\SecuROM
2007-06-17 12:00 <DIR> d-------- C:\Program Files\Ubisoft
2007-06-17 11:38 686,840 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-17 11:12 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinRAR
2007-06-13 23:03 <DIR> d-------- C:\Program Files\Globe7
2007-06-13 00:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-13 00:25 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Azureus
2007-06-13 00:24 <DIR> d-------- C:\Program Files\Azureus
2007-06-12 23:57 <DIR> d-------- C:\Program Files\style bind
2007-06-09 19:09 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-09 19:09 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-09 19:09 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-09 19:09 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-09 19:09 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-09 19:09 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-09 19:08 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-30 17:25 --------- d-------- C:\Program Files\WarRock
2007-07-30 11:52 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Xfire
2007-07-28 15:34 4576 --a------ C:\WINDOWS\mozver.dat
2007-07-27 17:35 --------- d---s---- C:\Program Files\Xfire
2007-07-27 13:45 --------- d--hs---- C:\Program Files\Free KGB Key Logger
2007-07-27 13:45 --------- d-------- C:\Program Files\music_now
2007-07-12 23:51 --------- d-------- C:\Program Files\LimeWire
2007-07-12 23:39 --------- d-------- C:\Program Files\America's Army
2007-07-12 21:38 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
2007-07-07 21:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-26 01:32 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\style bind
2007-06-21 00:10 --------- d-------- C:\Program Files\Share_Accelerator_MM
2007-06-18 17:44 --------- d-------- C:\Program Files\Viewpoint
2007-06-18 17:44 --------- d-------- C:\Program Files\AIM6
2007-06-13 11:25 --------- d-------- C:\Program Files\Common Files\stardock
2007-06-13 00:42 --------- d-------- C:\Program Files\BitTorrent
2007-06-13 00:03 --------- d-------- C:\Program Files\BitDownload
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-19 20:26 0 --a------ C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat
2006-12-13 22:32:22 80 --sh--r C:\WINDOWS\system32\4090D52FA0.dll
2006-11-22 03:04:32 88 --sh--r C:\WINDOWS\system32\A02FD59040.sys
2006-11-22 03:04:32 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 00:54 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-01-24 15:15 C:\WINDOWS\system32\nwiz.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 19:35]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-29 11:09]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-07-10 21:07:46]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 14:40:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
R0 bb-run;Promise driver accelerator;C:\WINDOWS\system32\DRIVERS\bb-run.sys
R0 ftsata2;ftsata2;C:\WINDOWS\system32\DRIVERS\ftsata2.sys
R0 iaStor;Intel RAID Controller;C:\WINDOWS\system32\DRIVERS\iaStor.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys
R2 ARSVC;ARSVC;C:\WINDOWS\arservice.exe
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R3 aracpi;aracpi;C:\WINDOWS\system32\DRIVERS\aracpi.sys
R3 arkbcfltr;Microsoft PS2 Keyboard Filter;C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
R3 armoucfltr;Microsoft PS2 Mouse Filter;C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
R3 ARPolicy;ARPolicy;C:\WINDOWS\system32\DRIVERS\arpolicy.sys
R3 Ps2;PS2;C:\WINDOWS\system32\DRIVERS\PS2.sys
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
S1 rxp;rxp;\??\C:\WINDOWS\system32\drivers\rxp.sys
S3 arhidfltr;MS Ar HID Filter Driver;C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\E:\INSTAL~E\Core\BVRPMPR5.SYS
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 MR97310_USB_DUAL_CAMERA;CIF Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S4 AFSEGTGF Windows Service;AFSEGTGF Windows Service;C:\WINDOWS\system32\dsjch.exe -service
*Newly Created Service* - PNKBSTRK
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-07-30 21:21:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-30 21:22:18
C:\ComboFix-quarantined-files.txt ... 2007-07-30 21:22
C:\ComboFix2.txt ... 2007-07-30 11:53
C:\ComboFix3.txt ... 2007-07-27 21:59
--- E O F ---
File: dsupl.exe Status: [color=\"red\"]INFECTED/MALWARE[/color] MD5: 30adac128c2c3491e48ee019435ddb53 Packers detected: - Bit9 reports: File not found
Scan taken on 31 Jul 2007 02:35:14 (GMT) A-Squared Found nothing AntiVir Found TR/Genetik.FH ArcaVir Found nothing Avast Found nothing AVG Antivirus Found Generic5.LAK BitDefender Found Trojan.Dloader.BKV ClamAV Found Trojan.Downloader-11698 CPsecure Found nothing Dr.Web Found DLOADER.Trojan (probable variant) F-Prot Antivirus Found Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus F-Secure Anti-Virus Found Trojan.Win32.Small.mw Fortinet Found W32/GENETIK.DH!tr Kaspersky Anti-Virus Found Trojan.Win32.Small.mw NOD32 Found probably a variant of Win32/Genetik (probable variant) Norman Virus Control Found W32/Malware.YJJ Panda Antivirus Found Generic Rising Antivirus Found nothing Sophos Antivirus Found Mal/Behav-010 VirusBuster Found nothing VBA32 Found nothing
File: 4090D52FA0.dll Status: [color=\"#00bb00\"]OK[/color] MD5: 55831523fc98753fa7f47581a2bbe16a Packers detected: - Bit9 reports: File not found
Scan taken on 31 Jul 2007 02:39:42 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Rising Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing
File: A02FD59040.sys Status: [color=\"#00bb00\"]OK[/color] MD5: 25e6d10d08f9b655d7a79afee7632278 Packers detected: - Bit9 reports: File not found
Scan taken on 31 Jul 2007 02:42:57 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Rising Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing
EDIT: Okay it's better.
Post by: guestolo on July 30, 2007, 10:54:50 PM
and that service name is being stubborn
Please do the following,
Download [color=\"blue\"]OTMoveIt[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe\") by OldTimer:
- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================
C:\WINDOWS\system32\dsupl.exe
C:\Program Files\Free KGB Key Logger
====================================================== - Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
- Click the red "[color=\"red\"]MoveIt![/color]" button.
- Close OTMoveIt.
OTMoveIt will create a log here
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run., I'll need to see this log in a bit
Click Start > Run > and type in:
services.msc
Click OK.
In the services window find this exact name
AFSEGTGF Windows Service
Right click on it and choose "Properties".
Beside "Startup Type" in the dropdown menu select "Disabled".
On the "General" tab under "Service Status", if selectable, click the "Stop" button to stop the service.
Click Apply then OK.
Exit
Immediately afterwards
Open Hijackthis>>
Click the Open the Misc Tools section
Click the Delete an NT Service button
In the next window in the open blank field
Copy>>Paste the bold text below
AFSEGTGF Windows Service
Then click the OK button
Hijackthis should warn the service will be deleted and to restart computer
Do so
Back in Windows
Come back here and post a fresh hijackthis log and the log from OTMoveIt please
Post by: asiankid on July 31, 2007, 11:20:46 AM
File/Folder C:\Program Files\Free KGB Key Logger not found.
Created on 07/31/2007 12:04:30
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:10 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\OTMoveIt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop\")
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab (http://\"http://www.tricksteronline.com/control/tricksterActiveX.cab\")
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab (http://\"http://www.tricksteronline.com/control/KALogoutComponent.cab\")
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 6558 bytes
Post by: guestolo on July 31, 2007, 07:18:07 PM
File/Folder C:\Program Files\Free KGB Key Logger not found.
Did you already manually delete the file and folder???
Post by: asiankid on July 31, 2007, 08:28:11 PM
Post by: guestolo on July 31, 2007, 10:30:12 PM
You can delete
tel.xls.exe_Remover.exe
Flash_Disinfector.exe
avz4en.zip and it's folder
If everything is running better
Please do the following
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name and click Create
When that's done
Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating
Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made
Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning
You should give your computer a bit more protection
Install
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
Keep your AV updated and actively running in the background
double-click OTMoveIt.exe to run it.
Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Select Yes to reboot Now
Back in Windows
Empty the recycle bin
NOTE: I would change all passwords to email, online banking, online gaming, etc..
As you had signs of a keylogger that you didn't install yourself
I hope that helps
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: asiankid on August 01, 2007, 10:57:10 AM
Post by: guestolo on August 01, 2007, 10:35:31 PM
Take care asiankid
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />