« previous next »
Pages: [1] 2

Author Topic: lots of trojans  (Read 5044 times)

Offline natro charlo

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
lots of trojans
« on: April 30, 2008, 07:16:17 AM »
thought i could fix my friends computer this time but man there are way to many virus on it..and they keep renaming themselves :-(

heres the hijack this log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:17:05 AM, on 2008-04-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel® Alert Service (AlertService) - Unknown owner - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Intel® Quick Resume technology (ELService) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv(tm) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

--
End of file - 3013 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
lots of trojans
« Reply #1 on: April 30, 2008, 09:01:35 AM »
I'm just on my way to work
In the meantime can you do the following please

 
Download [color=\"#008000\"]Deckard's System Scanner (dss.exe)[/color] to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post back just the Whole contents of Main.txt and Extra.txt
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline natro charlo

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
lots of trojans
« Reply #2 on: April 30, 2008, 05:37:59 PM »
main.txt

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-30 18:36:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
97: 2008-04-30 22:36:23 UTC - RP149 - Deckard's System Scanner Restore Point
96: 2008-04-30 20:15:33 UTC - RP148 - Software Distribution Service 3.0
95: 2008-04-30 03:34:31 UTC - RP147 - Uniblue RegistryBooster
94: 2008-04-30 03:14:58 UTC - RP146 - Move file to quarantine: MCRD Device Service
93: 2008-04-30 03:14:24 UTC - RP145 - Uninstall "Remote UI Service"


-- First Restore Point --
1: 2008-02-01 01:15:51 UTC - RP53 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

 

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:47 PM, on 2008-04-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel® Alert Service (AlertService) - Unknown owner - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Intel® Quick Resume technology (ELService) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv(tm) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

--
End of file - 3079 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080429-213029-134 O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
backup-20080429-213029-173 O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
backup-20080429-213029-288 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20080429-213029-311 O2 - BHO: (no name) - {BF8B63A6-DA33-A5E0-13E1-D08F76262B93} - C:\WINDOWS\system32\xasxtl.dll
backup-20080429-213029-353 O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
backup-20080429-213029-596 O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
backup-20080429-213029-687 O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
backup-20080429-213029-752 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
backup-20080429-213029-823 O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
backup-20080429-213029-950 O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\addressBook.exe" /d locale=en-US ee://aol/imApp
backup-20080429-213029-957 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080429-213030-189 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
backup-20080429-213030-309 O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080429-213030-392 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
backup-20080429-213030-430 O20 - Winlogon Notify: vtuussp - vtuussp.dll (file missing)
backup-20080429-213030-513 O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
backup-20080429-213030-547 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
backup-20080429-213030-645 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
backup-20080429-213030-688 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080429-213030-754 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080429-213030-783 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200114690640
backup-20080429-213030-834 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080429-213031-347 O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
backup-20080429-213031-453 O23 - Service: Intel® Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
backup-20080429-213031-547 O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
backup-20080429-213031-854 O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
backup-20080429-213031-874 O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
backup-20080429-213031-929 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
backup-20080429-221452-143 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080429-221452-210 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080429-221452-342 O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (file missing)
backup-20080429-221452-438 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080429-221452-658 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080429-221452-833 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080429-221452-876 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20080429-221453-405 O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
backup-20080429-221453-459 O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
backup-20080429-221453-475 O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
backup-20080429-221453-738 O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
backup-20080429-221453-984 O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
backup-20080429-221603-167 O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
backup-20080429-221603-190 O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
backup-20080429-221603-595 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/index.php
backup-20080429-221603-906 O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
backup-20080429-221603-918 O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
backup-20080429-221604-126 O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
backup-20080429-221604-142 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
backup-20080429-221604-258 O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
backup-20080429-221604-405 O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
backup-20080429-221604-457 O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
backup-20080429-221604-585 O23 - Service: Intel® Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
backup-20080429-221604-650 O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ELhid (EL hid Service) - c:\windows\system32\drivers\elhid.sys <Not Verified; Intel Corporation; Intel® Quick Resume Technology>
R1 ELkbd (EL KB Service) - c:\windows\system32\drivers\elkbd.sys <Not Verified; Intel Corporation; Intel® Quick Resume Technology>
R1 ELmon (EL Monitor Service) - c:\windows\system32\drivers\elmon.sys <Not Verified; Intel Corporation; Intel® Quick Resume Technology>
R1 ELmou (EL Mouse Service) - c:\windows\system32\drivers\elmou.sys <Not Verified; Intel Corporation; Intel® Quick Resume Technology>

S3 catchme - c:\combofix\catchme.sys (file missing)
S3 GoProto (GoProto Protocol Driver) - c:\windows\system32\drivers\goprot51.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics Network Module>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 TSHWMDTCP - c:\program files\intel\inteldh\intel media server\media server\bin\tshwmdtcp.sys
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 ISSM (Intel® Software Services Manager) - "c:\program files\intel\inteldh\intel media server\media server\bin\issm.exe" <Not Verified; Intel Corporation; Intel® Viiv(tm) Software>
R2 M1 Server (Intel® Viiv(tm) Media Server) - c:\program files\intel\inteldh\intel media server\media server\bin\mediaserver.exe
R2 MCLServiceATL (Intel® Application Tracker) - "c:\program files\intel\inteldh\intel media server\shells\mclserviceatl.exe" <Not Verified; Intel Corporation; Intel® Viiv(tm) Software>
R2 Remote UI Service (Intel® Remoting Service) - "c:\program files\intel\inteldh\intel media server\shells\remote ui service.exe" <Not Verified; Intel Corporation; Intel® Viiv(tm) Software>

S2 AlertService (Intel® Alert Service) - "c:\program files\intel\inteldh\ccu\alertservice.exe" (file missing)
S2 ELService (Intel® Quick Resume technology) - c:\program files\intel\inteldh\intel® quick resume technology drivers\elservice.exe (file missing)
S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\1D4D676902700
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\1D4D676902700
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-04-18 15:28:38       284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-04-15 20:31:10       350 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet3500#CN3AN3D4887O.job


-- Files created between 2008-03-30 and 2008-04-30 -----------------------------

2008-04-29 23:33:17         0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
2008-04-29 23:29:55         0 d-------- C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-04-29 23:29:21         0 d-------- C:\Program Files\DNA
2008-04-29 23:29:21         0 d-------- C:\Program Files\BitTorrent
2008-04-29 23:29:21         0 d-------- C:\Documents and Settings\Administrator\Application Data\DNA
2008-04-29 23:27:11         0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-29 23:27:07         0 d-------- C:\Program Files\Uniblue
2008-04-29 23:11:39         0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-29 23:11:35         0 d-------- C:\Program Files\Security Task Manager
2008-04-29 22:41:30         0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-29 22:41:25         0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-29 22:41:25         0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-29 22:40:04         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-29 21:27:37         0 d-------- C:\Program Files\Trend Micro
2008-04-29 20:06:57         0 d-------- C:\WINDOWS\BDOSCAN8
2008-04-29 19:26:36     68096 --a------ C:\WINDOWS\zip.exe
2008-04-29 19:26:36    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-29 19:26:36     80412 --a------ C:\WINDOWS\grep.exe
2008-04-29 19:26:35     49152 --a------ C:\WINDOWS\VFind.exe
2008-04-29 19:26:35    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-29 19:26:35     98816 --a------ C:\WINDOWS\sed.exe
2008-04-29 19:26:35     73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-29 19:26:34    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-29 18:40:22         0 d-------- C:\Program Files\TweakNow RegCleaner Std
2008-04-29 18:33:54         0 d-------- C:\WINDOWS\SxsCaPendDel
2008-04-29 18:15:13         0 d-------- C:\WINDOWS\pss
2008-04-17 11:58:32         0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-04-30 16:13:18      6754 --a------ C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2008-04-29 23:17:46         0 d-------- C:\Program Files\Intel
2008-04-29 22:40:04         0 d-------- C:\Program Files\Common Files
2008-04-29 22:23:43         0 d-------- C:\Program Files\Google
2008-04-29 22:09:33         0 d-------- C:\Program Files\Java
2008-04-29 22:08:07         0 d-------- C:\Program Files\Netscape Internet Service
2008-04-29 22:07:52         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-29 22:07:52         0 d-------- C:\Program Files\CyberLink
2008-04-29 22:04:19         0 d-------- C:\Program Files\Common Files\AOL
2008-04-29 21:59:34         0 d-------- C:\Program Files\The Weather Channel FW
2008-04-29 21:57:01         0 d-------- C:\Program Files\Common Files\Real
2008-04-29 20:29:44         0 d-------- C:\Program Files\Messenger
2008-04-29 20:29:22         0 d-------- C:\Program Files\iTunes
2008-04-29 20:16:40     19456 --a------ C:\Documents and Settings\Administrator\Application Data\zjbstyocxdbf.0xe
2008-04-29 20:16:38     19456 --a------ C:\Documents and Settings\Administrator\Application Data\ssmm.0xe
2008-04-29 20:16:37     19456 --a------ C:\Documents and Settings\Administrator\Application Data\pqmvhtkhi.0xe
2008-04-29 20:16:31     19456 --a------ C:\Documents and Settings\Administrator\Application Data\fxyebvgcwzy.0xe
2008-04-29 20:16:30     19456 --a------ C:\Documents and Settings\Administrator\Application Data\eyouk.0xe
2008-04-29 20:16:29     19456 --a------ C:\Documents and Settings\Administrator\Application Data\etbruiyrqm.0xe
2008-04-29 18:28:12         0 d-------- C:\Program Files\Hewlett-Packard
2008-04-29 18:27:18         0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-02-12 15:56:24      1158 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-05 05:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-29 11:29 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\909d1eba]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awola]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93ae2d26]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bnhfygw]
"C:\Documents and Settings\Administrator\My Documents\T?sks\r?gedit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ealb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
"C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
"C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Registration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
"C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Prdwhxns]
"C:\Program Files\Common Files\A?pPatch\w?auclt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask            .exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]

 


-- End of Deckard's System Scanner: finished at 2008-04-30 18:37:12 ------------

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core(tm)2 CPU          6300  @ 1.86GHz
CPU 1: Intel® Core(tm)2 CPU          6300  @ 1.86GHz
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 1005.8 MiB / 680.53 MiB
Pagefile Memory (total/avail): 2420.8 MiB / 2189.3 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.32 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 228.45 GiB total, 217.31 GiB free.
D: is Fixed (FAT32) - 4.42 GiB total, 1.98 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-22NCB1 - 232.88 GiB - 2 partitions
  \PARTITION0 (bootable) - Installable File System - 228.45 GiB - C:
  \PARTITION1 - Unknown - 4.43 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

 

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

FW:  v (McAfee) [color=\"RED\"]Disabled[/color]
AV:  v (McAfee) [color=\"RED\"]Disabled[/color] [color=\"RED\"]Outdated[/color]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-776A965251
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\YOUR-776A965251
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=YOUR-776A965251
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

IUSR_NMPR
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

 --> MsiExec.exe /I{3BF1390E-9EAE-4C2A-B30C-3992233FBCBA}
 --> MsiExec.exe /X{16DDE3E0-98D6-40AC-BCF0-5EAB81965AE3}
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Bicycle Board Games --> "C:\Program Files\Microsoft Games\Bicycle Board Games\UNINSTAL.EXE" /runtemp /addremove
BitTorrent --> C:\Program Files\BitTorrent\uninst.exe
Charter High Speed Internet Self-Installation Wizard --> MsiExec.exe /I{5AF8C46D-A141-4E69-9EB5-76A43ED29281}
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875} /l1033
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp deskjet 3500 --> msiexec /x{8FD62EBB-3175-4907-A326-989B14E5C757}
HP Driver Diagnostics --> MsiExec.exe /I{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}
hp print screen utility --> C:\Program Files\Hewlett-Packard\hp print screen utility\UnInstall\prnunins.exe
Intel Audio Studio 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2205E3A5-DCDC-461D-8ED6-D6F2341D3B64}\setup.exe" -l0x9
Intel® Management Engine Interface --> C:\WINDOWS\system32\heciudlg.exe -uninstall
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® Quick Resume Technology Drivers --> C:\WINDOWS\System32\Elusetup.exe
Intel® Viiv™ Software --> MsiExec.exe /X{DA327C6D-D8F1-4587-B4DE-10C39BF6B891} /qb!
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe"  -uninstall
Security Task Manager 1.7e --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for Step By Step Interactive Training (KB898458) -->
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TweakNow RegCleaner Standard --> "C:\Program Files\TweakNow RegCleaner Std\unins000.exe"
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB914548 --> "C:\WINDOWS\$NtUninstallKB914548$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type9247 / Warning
Event Submitted/Written: 04/29/2008 09:58:57 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{DA327C6D-D8F1-4587-B4DE-10C39BF6B891}', feature 'Base' failed during request for component '{5617BF49-9195-4C35-B9AD-F8D165DE25BB}'

Event Record #/Type9246 / Error
Event Submitted/Written: 04/29/2008 07:47:34 PM
Event ID/Source: 103 / F-Secure Anti-Virus
Event Description:
310  2008-01-20  16:06:37-04:00  your-776a965251  YOUR-776A965251\Administrator  F-Secure Anti-Virus
 Spyware detected:
 Type: adware
 Family:  
 Name: AdWare.Win32.Virtumonde
 Object: C:\WINDOWS\system32\vtuussp.dll
 Action: none.

Event Record #/Type9245 / Error
Event Submitted/Written: 04/29/2008 07:47:34 PM
Event ID/Source: 103 / F-Secure Anti-Virus
Event Description:
309  2008-01-20  16:06:29-04:00  your-776a965251  YOUR-776A965251\Administrator  F-Secure Anti-Virus
 Spyware detected:
 Type: adware
 Family:  
 Name: AdWare.Win32.Virtumonde
 Object: C:\WINDOWS\system32\mllmj.dll
 Action: none.

Event Record #/Type9244 / Error
Event Submitted/Written: 04/29/2008 07:47:34 PM
Event ID/Source: 103 / F-Secure Anti-Virus
Event Description:
308  2008-01-20  16:06:05-04:00  your-776a965251  YOUR-776A965251\Administrator  F-Secure Anti-Virus
 Spyware detected:
 Type: adware
 Family:  
 Name: AdWare.Win32.Virtumonde
 Object: C:\WINDOWS\system32\vtuussp.dll
 Action: none.

Event Record #/Type9243 / Error
Event Submitted/Written: 04/29/2008 07:47:34 PM
Event ID/Source: 103 / F-Secure Anti-Virus
Event Description:
307  2008-01-20  16:05:58-04:00  your-776a965251  YOUR-776A965251\Administrator  F-Secure Anti-Virus
 Spyware detected:
 Type: adware
 Family:  
 Name: AdWare.Win32.Virtumonde
 Object: C:\WINDOWS\system32\mllmj.dll
 Action: none.

 

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18721 / Error
Event Submitted/Written: 04/30/2008 06:34:44 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {7F6316B4-4D69-4765-B0A3-B2598F2FA80A} did not register with DCOM within the required timeout.

Event Record #/Type18704 / Error
Event Submitted/Written: 04/30/2008 06:34:17 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Intel® Quick Resume technology service failed to start due to the following error:
%%2

Event Record #/Type18703 / Error
Event Submitted/Written: 04/30/2008 06:34:17 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Intel® Alert Service service failed to start due to the following error:
%%3

Event Record #/Type18699 / Error
Event Submitted/Written: 04/30/2008 04:15:35 PM
Event ID/Source: 20 / Windows Update Agent
Event Description:
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework, Version 2.0 (KB928365).

Event Record #/Type18692 / Error
Event Submitted/Written: 04/30/2008 04:09:32 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {7F6316B4-4D69-4765-B0A3-B2598F2FA80A} did not register with DCOM within the required timeout.

 

-- End of Deckard's System Scanner: finished at 2008-04-30 18:37:12 ------------
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
lots of trojans
« Reply #3 on: April 30, 2008, 06:20:34 PM »
Do the following please

If you have previously downloaded combofix
Delete your copy, I need you to redownload it

Download this file - Combofix.exe and save it ONLY to your desktop

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
I'll need to see this log later
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back the log from Combofix
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline natro charlo

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
lots of trojans
« Reply #4 on: April 30, 2008, 08:14:37 PM »
combofix log

ComboFix 08-04-29.5 - Administrator 2008-04-30 21:13:30.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.692 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((   Files Created from 2008-04-01 to 2008-05-01  )))))))))))))))))))))))))))))))
.

2008-04-30 16:10 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-29 23:29 . 2008-04-29 23:29 <DIR> d-------- C:\Program Files\DNA
2008-04-29 23:29 . 2008-04-29 23:29 <DIR> d-------- C:\Program Files\BitTorrent
2008-04-29 23:29 . 2008-04-30 19:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DNA
2008-04-29 23:29 . 2008-04-29 23:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-04-29 23:27 . 2008-04-29 23:27 <DIR> d-------- C:\Program Files\Uniblue
2008-04-29 23:27 . 2008-04-29 23:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-29 23:11 . 2008-04-29 23:11 <DIR> d-------- C:\Program Files\Security Task Manager
2008-04-29 23:11 . 2008-04-29 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-29 22:41 . 2008-04-29 22:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-29 22:41 . 2008-04-29 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-29 22:41 . 2008-04-29 22:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-29 22:40 . 2008-04-29 22:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-29 21:27 . 2008-04-29 21:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 20:06 . 2008-04-29 23:42 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-04-29 18:40 . 2008-04-29 18:40 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std
2008-04-29 18:33 . 2008-04-29 18:47 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-17 12:00 . 2008-04-28 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-17 12:00 . 2008-04-17 12:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-17 11:58 . 2008-04-17 11:58 <DIR> d-------- C:\Program Files\iPod

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 20:13 6,754 ----a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2008-04-30 03:17 --------- d-----w C:\Program Files\Intel
2008-04-30 02:23 --------- d-----w C:\Program Files\Google
2008-04-30 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2008-04-30 02:09 --------- d-----w C:\Program Files\Java
2008-04-30 02:08 --------- d-----w C:\Program Files\Netscape Internet Service
2008-04-30 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Netscape Internet Service
2008-04-30 02:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 02:07 --------- d-----w C:\Program Files\CyberLink
2008-04-30 02:04 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-30 01:59 --------- d-----w C:\Program Files\The Weather Channel FW
2008-04-30 01:57 --------- d-----w C:\Program Files\Common Files\Real
2008-04-30 00:29 --------- d-----w C:\Program Files\iTunes
2008-04-29 23:11 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2008-04-29 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-04-29 22:28 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-21 22:34 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 17:07 19,148,408 ----a-w C:\WINDOWS\system32\MRT .exe
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-12-30 22:53 0 --sha-w C:\Documents and Settings\Administrator\Application Data\e3b9042be25a68b2861ee2ba8e8eeb298f757348.dat
.
Code: [Select]
<pre>
----a-w   375,296 2008-01-15 23:24:25  C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent .exe
----a-w   139,264 2008-01-15 23:24:16  C:\Program Files\Digital Media Reader\readericon45G .exe
----a-w 73,728 2008-01-15 23:24:16  C:\Program Files\Gateway\GWCares\GWCares .exe
----a-w 68,856 2008-01-15 23:24:44  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w   171,448 2008-01-12 14:46:28  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w 36,864 2008-01-15 23:24:39  C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys .exe
----a-w   267,048 2008-04-17 19:13:37  C:\Program Files\iTunes\iTunesHelper .exe
----a-w   110,592 2008-01-14 00:38:54  C:\Program Files\McAfee\SpamKiller\MS18B0~1 .EXE
----a-w   110,592 2008-01-09 20:11:12  C:\Program Files\McAfee\SpamKiller\MS18B0~2 .EXE
----a-w   110,592 2008-04-30 00:29:41  C:\Program Files\McAfee\SpamKiller\MskAgent  .exe
----a-w   110,592 2008-01-15 22:27:43  C:\Program Files\McAfee\SpamKiller\MskAgent .exe
----a-w   110,592 2008-01-15 15:54:48  C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
----a-w   110,592 2007-12-31 14:35:38  C:\Program Files\McAfee\SpamKiller\MSKAGE~2 .EXE
----a-w   110,592 2008-04-30 00:29:41  C:\Program Files\McAfee\SpamKiller\MSKAGE~3 .EXE
----a-w 1,121,792 2008-01-15 22:27:56  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w 1,694,208 2008-01-15 23:25:00  C:\Program Files\Messenger\msmsgs .exe
----a-w 64,512 2008-01-15 23:24:15  C:\WINDOWS\ehome\ehtray .exe
----a-w   158,208 2008-04-29 23:11:49  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w 19,148,408 2008-03-18 17:07:54  C:\WINDOWS\system32\MRT .exe
----a-w   176,128 2008-01-15 23:24:37  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
</pre>

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-29 23:29 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-05 05:28 7393280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\909d1eba]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awola]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93ae2d26]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bnhfygw]
C:\Documents and Settings\Administrator\My Documents\T?sks\r?gedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-21 18:34 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ealb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Registration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-01-05 05:28 7393280 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-01-05 05:28 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Prdwhxns]
C:\Program Files\Common Files\A?pPatch\w?auclt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask            .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 19:28:38 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-16 00:31:10 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet3500#CN3AN3D4887O.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet3500#CN3AN3D4887O
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 21:14:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-30 21:14:44
ComboFix-quarantined-files.txt  2008-05-01 01:14:40

Pre-Run: 236,536,545,280 bytes free
Post-Run: 236,544,876,544 bytes free

181 --- E O F --- 2008-04-30 20:15:35
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
lots of trojans
« Reply #5 on: April 30, 2008, 08:34:17 PM »
Download  [color=\"#FF0000\"]RenV[/color] by sUBs.

1. Save it to your Desktop.
2. Double-click RenV.exe
3. It shall produce a log for you. Please post that log in your reply.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline natro charlo

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
lots of trojans
« Reply #6 on: April 30, 2008, 10:06:06 PM »
Code: [Select]
Ran on Wed 04/30/2008 - 23:07:05.54

----a-w   375,296 2008-01-15 23:24:25  C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent .exe
----a-w   139,264 2008-01-15 23:24:16  C:\Program Files\Digital Media Reader\readericon45G .exe
----a-w 73,728 2008-01-15 23:24:16  C:\Program Files\Gateway\GWCares\GWCares .exe
----a-w 68,856 2008-01-15 23:24:44  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w   171,448 2008-01-12 14:46:28  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w 36,864 2008-01-15 23:24:39  C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys .exe
----a-w   267,048 2008-04-17 19:13:37  C:\Program Files\iTunes\iTunesHelper .exe
----a-w   110,592 2008-01-14 00:38:54  C:\Program Files\McAfee\SpamKiller\MS18B0~1 .EXE
----a-w   110,592 2008-01-09 20:11:12  C:\Program Files\McAfee\SpamKiller\MS18B0~2 .EXE
----a-w   110,592 2008-04-30 00:29:41  C:\Program Files\McAfee\SpamKiller\MskAgent  .exe
----a-w   110,592 2008-01-15 22:27:43  C:\Program Files\McAfee\SpamKiller\MskAgent .exe
----a-w   110,592 2008-01-15 15:54:48  C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
----a-w   110,592 2007-12-31 14:35:38  C:\Program Files\McAfee\SpamKiller\MSKAGE~2 .EXE
----a-w   110,592 2008-04-30 00:29:41  C:\Program Files\McAfee\SpamKiller\MSKAGE~3 .EXE
----a-w 1,121,792 2008-01-15 22:27:56  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w 1,694,208 2008-01-15 23:25:00  C:\Program Files\Messenger\msmsgs .exe
----a-w 64,512 2008-01-15 23:24:15  C:\WINDOWS\ehome\ehtray .exe
----a-w   158,208 2008-04-29 23:11:49  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w 19,148,408 2008-03-18 17:07:54  C:\WINDOWS\system32\MRT .exe
----a-w   176,128 2008-01-15 23:24:37  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe

 Entries:   20  (20)
 Directories: 0  Files: 20
 Bytes: 24,269,904  Blocks:   47,404
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
lots of trojans
« Reply #7 on: April 30, 2008, 10:26:16 PM »


You should have a file called log.txt on desktop
Referring to the picture above
drag Log.txt into RenV.exe

When finished, it shall produce a new log for you. Post that log in your next reply.

Immediately after, please run ComboFix again and post the log it produces.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline natro charlo

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
lots of trojans
« Reply #8 on: May 01, 2008, 06:06:04 PM »
Code: [Select]
Ran on Thu 05/01/2008 - 19:07:00.04

----a-w   110,592 2008-01-09 20:11:12  C:\Program Files\McAfee\SpamKiller\MS18B0~1 .EXE
----a-w   110,592 2007-12-31 14:35:38  C:\Program Files\McAfee\SpamKiller\MskAgent  .exe
----a-w   110,592 2008-01-15 15:54:48  C:\Program Files\McAfee\SpamKiller\MskAgent .exe
----a-w   110,592 2008-01-14 00:38:54  C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE

 Entries: 4  (4)
 Directories: 0  Files: 4
 Bytes: 442,368  Blocks:  864
Logged

Offline natro charlo

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
lots of trojans
« Reply #9 on: May 01, 2008, 06:07:55 PM »
ComboFix 08-04-29.5 - Administrator 2008-05-01 19:07:55.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.677 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((   Files Created from 2008-04-01 to 2008-05-01  )))))))))))))))))))))))))))))))
.

2008-05-01 19:06 . 2008-01-15 19:24   64,512   --a--c---   C:\WINDOWS\system32\dllcache\ehtray.exe
2008-04-30 16:10 . 2007-07-30 19:19   207,736   --a------   C:\WINDOWS\system32\muweb.dll
2008-04-29 23:29 . 2008-04-29 23:29   <DIR>   d--------   C:\Program Files\DNA
2008-04-29 23:29 . 2008-04-29 23:29   <DIR>   d--------   C:\Program Files\BitTorrent
2008-04-29 23:29 . 2008-04-30 23:08   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\DNA
2008-04-29 23:29 . 2008-04-29 23:35   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-04-29 23:27 . 2008-04-29 23:27   <DIR>   d--------   C:\Program Files\Uniblue
2008-04-29 23:27 . 2008-04-29 23:27   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-29 23:11 . 2008-04-29 23:11   <DIR>   d--------   C:\Program Files\Security Task Manager
2008-04-29 23:11 . 2008-04-29 23:18   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-29 22:41 . 2008-04-29 22:41   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-04-29 22:41 . 2008-04-29 22:41   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-29 22:41 . 2008-04-29 22:41   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-29 22:40 . 2008-04-29 22:40   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-04-29 21:27 . 2008-04-29 21:27   <DIR>   d--------   C:\Program Files\Trend Micro
2008-04-29 20:06 . 2008-04-29 23:42   <DIR>   d--------   C:\WINDOWS\BDOSCAN8
2008-04-29 18:40 . 2008-04-29 18:40   <DIR>   d--------   C:\Program Files\TweakNow RegCleaner Std
2008-04-29 18:33 . 2008-04-29 18:47   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2008-04-17 12:00 . 2008-04-28 21:06   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-04-17 12:00 . 2008-04-17 12:00   1,409   --a------   C:\WINDOWS\QTFont.for
2008-04-17 11:58 . 2008-04-17 11:58   <DIR>   d--------   C:\Program Files\iPod

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 23:06   ---------   d-----w   C:\Program Files\iTunes
2008-05-01 23:06   ---------   d-----w   C:\Program Files\Digital Media Reader
2008-04-30 20:13   6,754   ----a-w   C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2008-04-30 03:17   ---------   d-----w   C:\Program Files\Intel
2008-04-30 02:23   ---------   d-----w   C:\Program Files\Google
2008-04-30 02:19   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\F-Secure
2008-04-30 02:09   ---------   d-----w   C:\Program Files\Java
2008-04-30 02:08   ---------   d-----w   C:\Program Files\Netscape Internet Service
2008-04-30 02:08   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Netscape Internet Service
2008-04-30 02:07   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-04-30 02:07   ---------   d-----w   C:\Program Files\CyberLink
2008-04-30 02:04   ---------   d-----w   C:\Program Files\Common Files\AOL
2008-04-30 01:59   ---------   d-----w   C:\Program Files\The Weather Channel FW
2008-04-30 01:57   ---------   d-----w   C:\Program Files\Common Files\Real
2008-04-29 23:11   158,208   ----a-w   C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
2008-04-29 22:30   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Napster
2008-04-29 22:28   ---------   d-----w   C:\Program Files\Hewlett-Packard
2008-04-21 22:34   15,360   ----a-w   C:\WINDOWS\system32\ctfmon.exe
2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51   282,624   ----a-w   C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
2007-12-30 22:53   0   --sha-w   C:\Documents and Settings\Administrator\Application Data\e3b9042be25a68b2861ee2ba8e8eeb298f757348.dat
.
Code: [Select]
<pre>
----a-w   110,592 2008-01-09 20:11:12  C:\Program Files\McAfee\SpamKiller\MS18B0~1 .EXE
----a-w   110,592 2007-12-31 14:35:38  C:\Program Files\McAfee\SpamKiller\MskAgent  .exe
----a-w   110,592 2008-01-15 15:54:48  C:\Program Files\McAfee\SpamKiller\MskAgent .exe
----a-w   110,592 2008-01-14 00:38:54  C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
</pre>

(((((((((((((((((((((((((((((   snapshot@2008-04-30_21.14.35.71   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-01 01:09:38   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
+ 2008-05-01 23:04:49   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
+ 2008-01-15 23:24:15   64,512   ----a-w   C:\WINDOWS\ehome\ehtray.exe
- 2004-08-10 19:00:00   158,208   -c--a-w   C:\WINDOWS\system32\dllcache\msconfig.exe
+ 2008-04-29 23:11:49   158,208   -c--a-w   C:\WINDOWS\system32\dllcache\msconfig.exe
- 2008-04-06 05:56:20   19,836,024   ----a-w   C:\WINDOWS\system32\MRT.exe
+ 2008-03-18 17:07:54   19,148,408   ----a-w   C:\WINDOWS\system32\MRT.exe
+ 2008-01-15 23:24:37   176,128   ----a-w   C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-29 23:29 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-05 05:28 7393280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\909d1eba]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awola]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93ae2d26]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bnhfygw]
C:\Documents and Settings\Administrator\My Documents\T?sks\r?gedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-21 18:34 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ealb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Registration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2008-01-15 19:24 176128 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
--a------ 2008-01-15 19:24 375296 C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-01-05 05:28 7393280 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-01-05 05:28 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Prdwhxns]
C:\Program Files\Common Files\A?pPatch\w?auclt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
--a------ 2008-01-15 19:24 36864 C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask            .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 19:28:38 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-16 00:31:10 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet3500#CN3AN3D4887O.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet3500#CN3AN3D4887O
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 19:08:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-01 19:08:53
ComboFix-quarantined-files.txt  2008-05-01 23:08:50
ComboFix2.txt  2008-05-01 01:14:44

Pre-Run: 236,529,127,424 bytes free
Post-Run: 236,517,294,080 bytes free

177   --- E O F ---   2008-04-30 20:15:35
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
lots of trojans
« Reply #10 on: May 01, 2008, 11:44:47 PM »
Can you let me know the following
I don't see anything From McAfee' installed any longer
Can you verify that please?
In addition, I did see something from FSecure, did you uninstall it
We have a bit of cleanup to do, but mostly legit programs from this point

Can you post a fresh hijackthis log please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline natro charlo

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
lots of trojans
« Reply #11 on: May 02, 2008, 03:21:07 PM »
yes mcafee is uninstalled and so is f secure i deleted f secure because it kept popping up windows every second when i was deleting infected files and it was aggrivating me and mcafee i uninstalled also...i wasnt sure if i got every root files of the trojans and i figured you would know for sure

hijack this log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:42 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel® Alert Service (AlertService) - Unknown owner - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Intel® Quick Resume technology (ELService) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv(tm) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

--
End of file - 3720 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
lots of trojans
« Reply #12 on: May 02, 2008, 09:36:08 PM »
Download [color=\"blue\"]OTMoveIt2.exe[/color] by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the entries below in [color=\"#0000FF\"]blue[/color] to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):

    ================================================

    [color=\"#0000FF\"]C:\Program Files\McAfee
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\909d1eba]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93ae2d26]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bnhfygw]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ealb]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Prdwhxns]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
    [/color]


    ======================================================
  • Return to OTMoveIt2, right-click on the "Paste List of Files/Folders to be Moved" window  and choose "Paste".
  • Click the red "[color=\"red\"]MoveIt![/color]" button.
  • Close OTMoveIt when it has completed.
[color=\"red\"]Note[/color]:  If an entry cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
I'll need to see that log later

Afterwards:
Download McAfee uninstaller, as it appears it was not fully removed
Follow the next set of instructions
Download the removal tool from http://download.mcafee.com/products/licens...atches/MCPR.exe
  • Click Save and save the file to any folder on the computer.
  • Navigate to the folder where the file is saved.
  • Double-click MCPR.exe.
  • Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
    [color=\"blue\"]Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.[/color]
    After the second window appears, the program will begin the cleanup.
  • Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
The machine must reboot to complete the un-installation. Reboot now? [y.n]
 
  • Press Y on the keyboard.
  • Wait for the computer to restart.
All McAfee products are now removed from your computer.
These McAfee removal instructions can be found at http://ts.mcafeehelp.com/faq3.asp?docid=408302

After reboot:
use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color=\"blue\"]Kaspersky Online Scanner[/color]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color=\"#3333FF\"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%[/i].)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
        [color=\"#6666CC\"]Extended[/color]
    • Scan Options:
        [color=\"#6666CC\"]Scan Archives[/color]
        [color=\"#6666CC\"]Scan Mail Bases[/color]
        [/list]
        [/list]
        • Click OK and, under select a target to scan, select My Computer
        When the scan is done, in the [color=\"Navy\"]Scan is completed [/color]window (below), any infection is displayed.
        There is no option to clean/disinfect, however, we need to analyze the information on the report.

        To obtain the report:
        Click on: Save Report As (above - red blinking arrow)
        Next, in the [color=\"Navy\"]Save as [/color]prompt, [color=\"navy\"]Save in[/color] area, select: Desktop
        In the [color=\"navy\"]File name[/color] area, use KScan, or something similar
        In [color=\"navy\"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
        Then, click: Save
        Please post the [color=\"Navy\"]Kaspersky Online Scanner Report [/color]in your reply.
        « Last Edit: May 02, 2008, 09:37:02 PM by guestolo »
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Offline natro charlo

        • Newbie
        • *
        • Posts: 20
        • Karma: +0/-0
          • View Profile
        lots of trojans
        « Reply #13 on: May 03, 2008, 03:58:00 PM »
        C:\Program Files\McAfee\SpamKiller moved successfully.
        C:\Program Files\McAfee moved successfully.
        < [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\909d1eba] >
        File/Folder [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\909d1eba] not found.
        < [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93ae2d26] >
        File/Folder [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93ae2d26] not found.
        < [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bnhfygw] >
        File/Folder [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bnhfygw] not found.
        < [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ealb] >
        File/Folder [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ealb] not found.
        < [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager] >
        File/Folder [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager] not found.
        < [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB] >
        File/Folder [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB] not found.
        < [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] >
        File/Folder [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] not found.
        < [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Prdwhxns] >
        File/Folder [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Prdwhxns] not found.
        < [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] >
        File/Folder [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] not found.
        < [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] >
        File/Folder [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] not found.
        < [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble] >
        File/Folder [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble] not found.
         
        OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05032008_002933







        -------------------------------------------------------------------------------
         KASPERSKY ONLINE SCANNER REPORT
         Saturday, May 03, 2008 5:50:10 PM
         Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
         Kaspersky Online Scanner version: 5.0.98.0
         Kaspersky Anti-Virus database last update:  3/05/2008
         Kaspersky Anti-Virus database records: 737641
        -------------------------------------------------------------------------------

        Scan Settings:
           Scan using the following antivirus database: extended
           Scan Archives: true
           Scan Mail Bases: true

        Scan Target - My Computer:
           A:\
           C:\
           D:\
           E:\
           F:\
           G:\
           H:\
           I:\

        Scan Statistics:
           Total number of scanned objects: 51129
           Number of viruses found: 1
           Number of infected objects: 12
           Number of suspicious objects: 0
           Duration of the scan process: 00:26:30

        Infected Object Name / Virus Name / Last Action
        C:\Documents and Settings\Administrator\Application Data\etbruiyrqm .0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\Documents and Settings\Administrator\Application Data\etbruiyrqm.0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\Documents and Settings\Administrator\Application Data\eyouk .0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\Documents and Settings\Administrator\Application Data\eyouk.0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\Documents and Settings\Administrator\Application Data\fxyebvgcwzy .0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\Documents and Settings\Administrator\Application Data\fxyebvgcwzy.0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\Documents and Settings\Administrator\Application Data\pqmvhtkhi.0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\Documents and Settings\Administrator\Application Data\ssmm .0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\Documents and Settings\Administrator\Application Data\ssmm.0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\Documents and Settings\Administrator\Application Data\zjbstyocxdbf .0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\Documents and Settings\Administrator\Application Data\zjbstyocxdbf.0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\Documents and Settings\Administrator\Cookies\index.dat   Object is locked   skipped
        C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat   Object is locked   skipped
        C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
        C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
        C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008050320080504\index.dat   Object is locked   skipped
        C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat   Object is locked   skipped
        C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
        C:\Documents and Settings\Administrator\NTUSER.DAT   Object is locked   skipped
        C:\Documents and Settings\Administrator\ntuser.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log   Object is locked   skipped
        C:\Documents and Settings\IUSR_NMPR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
        C:\Documents and Settings\IUSR_NMPR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\IUSR_NMPR\NTUSER.DAT   Object is locked   skipped
        C:\Documents and Settings\IUSR_NMPR\ntuser.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
        C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat   Object is locked   skipped
        C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat   Object is locked   skipped
        C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
        C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
        C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
        C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
        C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiondb.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiondb.mdb2   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectionnameindex.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectionnameindex.mdb2   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectionrevindex.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectionrevindex.mdb2   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypedateindex.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypedateindex.mdb2   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypeindex.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypeindex.mdb2   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypenameindex.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypenameindex.mdb2   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_content.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_content.mdb2   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_creationdateindex.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_creationdateindex.mdb2   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_propdb.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_propdb.mdb2   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_typenameindex.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_typenameindex.mdb2   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_urldb.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_urldb.mdb2   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_urlindex.mdb1   Object is locked   skipped
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_urlindex.mdb2   Object is locked   skipped
        C:\rkDw.0xe   Infected: not-virus:Hoax.Win32.Renos.aot   skipped
        C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
        C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP156\change.log   Object is locked   skipped
        C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
        C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
        C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
        C:\WINDOWS\Sti_Trace.log   Object is locked   skipped
        C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
        C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
        C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
        C:\WINDOWS\system32\config\default   Object is locked   skipped
        C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
        C:\WINDOWS\system32\config\IntelDH.evt   Object is locked   skipped
        C:\WINDOWS\system32\config\Internet.evt   Object is locked   skipped
        C:\WINDOWS\system32\config\Media Ce.evt   Object is locked   skipped
        C:\WINDOWS\system32\config\SAM   Object is locked   skipped
        C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
        C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
        C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
        C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
        C:\WINDOWS\system32\config\software   Object is locked   skipped
        C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
        C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
        C:\WINDOWS\system32\config\system   Object is locked   skipped
        C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
        C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
        C:\WINDOWS\wiadebug.log   Object is locked   skipped
        C:\WINDOWS\wiaservc.log   Object is locked   skipped
        C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
        D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP156\change.log   Object is locked   skipped

        Scan process completed.
        « Last Edit: May 03, 2008, 04:49:04 PM by natro charlo »
        Logged

        Offline guestolo

        • Site Donator
        • Administrator
        • Hero Member
        • *****
        • Posts: 16034
        • Karma: +1/-0
          • View Profile
          • http://
        lots of trojans
        « Reply #14 on: May 04, 2008, 11:37:25 AM »
        OTMoveit2.exe
        • Please double-click OTMoveIt2.exe to run it.
        • Copy the entries below in [color=\"#0000FF\"]blue[/color] to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):

          ================================================

          [color=\"#0000FF\"]C:\Documents and Settings\Administrator\Application Data\etbruiyrqm .0xe
          C:\Documents and Settings\Administrator\Application Data\etbruiyrqm.0xe
          C:\Documents and Settings\Administrator\Application Data\eyouk .0xe
          C:\Documents and Settings\Administrator\Application Data\eyouk.0xe
          C:\Documents and Settings\Administrator\Application Data\fxyebvgcwzy .0xe
          C:\Documents and Settings\Administrator\Application Data\fxyebvgcwzy.0xe
          C:\Documents and Settings\Administrator\Application Data\pqmvhtkhi.0xe
          C:\Documents and Settings\Administrator\Application Data\ssmm .0xe
          C:\Documents and Settings\Administrator\Application Data\ssmm.0xe
          C:\Documents and Settings\Administrator\Application Data\zjbstyocxdbf .0xe
          C:\Documents and Settings\Administrator\Application Data\zjbstyocxdbf.0xe
          C:\rkDw.0xe
          C:\WINDOWS\system32\vtuussp.dll
          C:\WINDOWS\system32\mllmj.dll
          C:\WINDOWS\system32\xasxtl.dll
          [/color]


          ======================================================
        • Return to OTMoveIt2, right-click on the "Paste List of Files/Folders to be Moved" window  and choose "Paste".
        • Click the red "[color=\"red\"]MoveIt![/color]" button.
        • Close OTMoveIt when it has completed.
        [color=\"red\"]Note[/color]:  If an entry cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

        OTMoveIt would of created a new log at this location
        C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
        I'll need to see that log again later, take note of the time/date of the log

        Download [color=\"#FF0000\"]ATF-Cleaner[/color] by Atribune.
        Save it to your desktop
        We'll need it later

        If you have previously downloaded Smitfraudfix, delete your copy, and carry on with the following instructions
        Download [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
        Extract the contents (a folder named SmitfraudFix) to your Desktop.
        We'll need this later

        Print these set of instructions, or save them to a text file on desktop for reference

        Reboot your computer in Safe Mode by doing the following :
        • Restart your computer
        • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
        • Instead of Windows loading as normal, a menu with options should appear;
        • Select the first option, to run Windows in Safe Mode, then press "Enter".
        • Choose your usual account.
        In safe mode

        ====================================

        Double-click ATF-Cleaner.exe to run the program.
              Under Main choose: Select All
              Click the Empty Selected button.

        Click Exit on the Main menu to close the program.
        ================================================
        Open the SmitfraudFix folder and double-click smitfraudfix.cmd

        Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

        You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

        The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

        The tool may need to restart your computer to finish the cleaning process; if it doesn't
        Remain back to Normal Windows
        I'll need to see the log it generates later, by default it is located at
        C:\rapport.txt
        ============================================

        Back in Normal Windows

        We need to get you a new AntiVirus software
        Go here and download your Free version of Avira AntiVir
        http://www.download.com/Avira-AntiVir-Pers...cdlpid=10322935
        Once installed, ensure it is fully updated before you run a scan
        After updating run a complete system scan
        Quarantine or delete everything it finds

        When it's done, Reboot the computer
        Back in Windows

        Open Avira again (Double click on the red Umbrella icon by the clock)
        Click on REPORTS under Overview
        Double click on the Scan report you just made
        Then click on "Report File"

        Post the following back here: It may take more than one reply to post all the info

        1. Post the Report from Avira
        2. Run "dss.exe" from desktop again, post the contents of main.txt that will open
        3. Post the report from Smitfraudfix>>C:\Rapport.txt
        4. Post the new log from OTMoveit2
        « Last Edit: May 04, 2008, 11:52:09 AM by guestolo »
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Offline natro charlo

        • Newbie
        • *
        • Posts: 20
        • Karma: +0/-0
          • View Profile
        lots of trojans
        « Reply #15 on: May 04, 2008, 01:13:59 PM »
        C:\Documents and Settings\Administrator\Application Data\etbruiyrqm .0xe moved successfully.
        C:\Documents and Settings\Administrator\Application Data\etbruiyrqm.0xe moved successfully.
        C:\Documents and Settings\Administrator\Application Data\eyouk .0xe moved successfully.
        C:\Documents and Settings\Administrator\Application Data\eyouk.0xe moved successfully.
        C:\Documents and Settings\Administrator\Application Data\fxyebvgcwzy .0xe moved successfully.
        C:\Documents and Settings\Administrator\Application Data\fxyebvgcwzy.0xe moved successfully.
        C:\Documents and Settings\Administrator\Application Data\pqmvhtkhi.0xe moved successfully.
        C:\Documents and Settings\Administrator\Application Data\ssmm .0xe moved successfully.
        C:\Documents and Settings\Administrator\Application Data\ssmm.0xe moved successfully.
        C:\Documents and Settings\Administrator\Application Data\zjbstyocxdbf .0xe moved successfully.
        C:\Documents and Settings\Administrator\Application Data\zjbstyocxdbf.0xe moved successfully.
        C:\rkDw.0xe moved successfully.
        File/Folder C:\WINDOWS\system32\vtuussp.dll not found.
        File/Folder C:\WINDOWS\system32\mllmj.dll not found.
        File/Folder C:\WINDOWS\system32\xasxtl.dll not found.
         
        OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05042008_141143
        Logged

        Offline natro charlo

        • Newbie
        • *
        • Posts: 20
        • Karma: +0/-0
          • View Profile
        lots of trojans
        « Reply #16 on: May 04, 2008, 03:43:32 PM »
        SmitFraudFix v2.319

        Scan done at 14:20:07.78, Sun 05/04/2008
        Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
        OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
        The filesystem type is NTFS
        Fix run in safe mode

        »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
        !!!Attention, following keys are not inevitably infected!!!

        SrchSTS.exe by S!Ri
        Search SharedTaskScheduler's .dll

        »»»»»»»»»»»»»»»»»»»»»»»» Killing process


        »»»»»»»»»»»»»»»»»»»»»»»» hosts

        127.0.0.1       localhost

        »»»»»»»»»»»»»»»»»»»»»»»» VACFix

        VACFix
        Credits: Malware Analysis & Diagnostic
        Code: S!Ri


        »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

        S!Ri's WS2Fix: LSP not Found.


        »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

        GenericRenosFix by S!Ri


        »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


        »»»»»»»»»»»»»»»»»»»»»»»» IEDFix

        IEDFix
        Credits: Malware Analysis & Diagnostic
        Code: S!Ri


        »»»»»»»»»»»»»»»»»»»»»»»» 404Fix

        404Fix
        Credits: Malware Analysis & Diagnostic
        Code: S!Ri


        »»»»»»»»»»»»»»»»»»»»»»»» DNS

        HKLM\SYSTEM\CCS\Services\Tcpip\..\{9A2F6998-1B52-4323-90C4-20C4CE87FF5B}: DhcpNameServer=208.31.142.2
        HKLM\SYSTEM\CS1\Services\Tcpip\..\{9A2F6998-1B52-4323-90C4-20C4CE87FF5B}: DhcpNameServer=208.31.142.2
        HKLM\SYSTEM\CS2\Services\Tcpip\..\{9A2F6998-1B52-4323-90C4-20C4CE87FF5B}: DhcpNameServer=208.31.142.2
        HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.31.142.2
        HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.31.142.2
        HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=208.31.142.2


        »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


        »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
        !!!Attention, following keys are not inevitably infected!!!

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
        "System"=""


        »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
         
        Registry Cleaning done.
         
        »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
        !!!Attention, following keys are not inevitably infected!!!

        SrchSTS.exe by S!Ri
        Search SharedTaskScheduler's .dll


        »»»»»»»»»»»»»»»»»»»»»»»» End
        Logged

        Offline natro charlo

        • Newbie
        • *
        • Posts: 20
        • Karma: +0/-0
          • View Profile
        lots of trojans
        « Reply #17 on: May 04, 2008, 04:08:48 PM »
        Avira AntiVir Personal
        Report file date: Sunday, May 04, 2008  16:47

        Scanning for 1248213 virus strains and unwanted programs.

        Licensed to:      Avira AntiVir PersonalEdition Classic
        Serial number:    0000149996-ADJIE-0001
        Platform:         Windows XP
        Windows version:  (Service Pack 2)  [5.1.2600]
        Boot mode:        Normally booted
        Username:         SYSTEM
        Computer name:    YOUR-776A965251

        Version information:
        BUILD.DAT     : 8.1.00.295      16479 Bytes    4/9/2008 16:24:00
        AVSCAN.EXE    : 8.1.2.12       311553 Bytes   3/18/2008 15:02:56
        AVSCAN.DLL    : 8.1.1.0         53505 Bytes    2/7/2008 14:43:37
        LUKE.DLL      : 8.1.2.9        151809 Bytes   2/28/2008 14:41:23
        LUKERES.DLL   : 8.1.2.1         12033 Bytes   2/21/2008 14:28:40
        ANTIVIR0.VDF  : 6.40.0.0     11030528 Bytes   7/18/2007 16:33:34
        ANTIVIR1.VDF  : 7.0.3.2       5447168 Bytes    3/7/2008 19:08:58
        ANTIVIR2.VDF  : 7.0.3.197     1260032 Bytes   4/22/2008 20:44:39
        ANTIVIR3.VDF  : 7.0.3.243      276992 Bytes    5/2/2008 20:44:41
        Engineversion : 8.1.0.37  
        AEVDF.DLL     : 8.1.0.5        102772 Bytes   2/25/2008 15:58:21
        AESCRIPT.DLL  : 8.1.0.28       233851 Bytes    5/4/2008 20:44:55
        AESCN.DLL     : 8.1.0.15       119157 Bytes    5/4/2008 20:44:54
        AERDL.DLL     : 8.1.0.20       418165 Bytes    5/4/2008 20:44:53
        AEPACK.DLL    : 8.1.1.4        364918 Bytes    5/4/2008 20:44:51
        AEOFFICE.DLL  : 8.1.0.18       192890 Bytes    5/4/2008 20:44:49
        AEHEUR.DLL    : 8.1.0.21      1196407 Bytes    5/4/2008 20:44:48
        AEHELP.DLL    : 8.1.0.14       115063 Bytes    5/4/2008 20:44:44
        AEGEN.DLL     : 8.1.0.18       299381 Bytes    5/4/2008 20:44:43
        AEEMU.DLL     : 8.1.0.5        430450 Bytes    4/7/2008 21:34:43
        AECORE.DLL    : 8.1.0.27       168310 Bytes    5/4/2008 20:44:42
        AVWINLL.DLL   : 1.0.0.7         14593 Bytes   1/23/2008 23:07:53
        AVPREF.DLL    : 8.0.0.1         25857 Bytes   2/18/2008 16:37:50
        AVREP.DLL     : 7.0.0.1        155688 Bytes   4/16/2007 19:26:47
        AVREG.DLL     : 8.0.0.0         30977 Bytes   1/23/2008 23:07:49
        AVARKT.DLL    : 1.0.0.23       307457 Bytes   2/12/2008 14:29:23
        AVEVTLOG.DLL  : 8.0.0.11       114945 Bytes   2/28/2008 14:31:31
        SQLITE3.DLL   : 3.3.17.1       339968 Bytes   1/22/2008 23:28:02
        SMTPLIB.DLL   : 1.2.0.19        28929 Bytes   1/23/2008 23:08:39
        NETNT.DLL     : 8.0.0.1          7937 Bytes   1/25/2008 18:05:10
        RCIMAGE.DLL   : 8.0.0.35      2371841 Bytes   3/10/2008 20:37:25
        RCTEXT.DLL    : 8.0.32.0        86273 Bytes    3/6/2008 18:02:11

        Configuration settings for the scan:
        Jobname..........................: Complete system scan
        Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
        Logging..........................: low
        Primary action...................: interactive
        Secondary action.................: ignore
        Scan master boot sector..........: on
        Scan boot sector.................: on
        Boot sectors.....................: C:, D:,
        Scan memory......................: on
        Process scan.....................: on
        Scan registry....................: on
        Search for rootkits..............: off
        Scan all files...................: All files
        Scan archives....................: on
        Recursion depth..................: 20
        Smart extensions.................: on
        Macro heuristic..................: on
        File heuristic...................: medium

        Start of the scan: Sunday, May 04, 2008  16:47

        The scan of running processes will be started
        Scan process 'avscan.exe' - '1' Module(s) have been scanned
        Scan process 'avcenter.exe' - '1' Module(s) have been scanned
        Scan process 'avgnt.exe' - '1' Module(s) have been scanned
        Scan process 'avguard.exe' - '1' Module(s) have been scanned
        Scan process 'sched.exe' - '1' Module(s) have been scanned
        Scan process 'iexplore.exe' - '1' Module(s) have been scanned
        Scan process 'rsvp.exe' - '1' Module(s) have been scanned
        Scan process 'alg.exe' - '1' Module(s) have been scanned
        Scan process 'Remote UI Service.exe' - '1' Module(s) have been scanned
        Scan process 'mediaserver.exe' - '1' Module(s) have been scanned
        Scan process 'MCLServiceATL.exe' - '1' Module(s) have been scanned
        Scan process 'ISSM.exe' - '1' Module(s) have been scanned
        Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
        Scan process 'ehSched.exe' - '1' Module(s) have been scanned
        Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
        Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
        Scan process 'btdna.exe' - '1' Module(s) have been scanned
        Scan process 'explorer.exe' - '1' Module(s) have been scanned
        Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'lsass.exe' - '1' Module(s) have been scanned
        Scan process 'services.exe' - '1' Module(s) have been scanned
        Scan process 'winlogon.exe' - '1' Module(s) have been scanned
        Scan process 'csrss.exe' - '1' Module(s) have been scanned
        Scan process 'smss.exe' - '1' Module(s) have been scanned
        32 processes with 32 modules were scanned

        Starting master boot sector scan:
        Master boot sector HD0
              [INFO]      No virus was found!
        Master boot sector HD1
              [INFO]      No virus was found!
              [WARNING]   The device is not ready.
        Master boot sector HD2
              [INFO]      No virus was found!
              [WARNING]   The device is not ready.
        Master boot sector HD3
              [INFO]      No virus was found!
              [WARNING]   The device is not ready.
        Master boot sector HD4
              [INFO]      No virus was found!
              [WARNING]   The device is not ready.

        Start scanning boot sectors:
        Boot sector 'C:\'
              [INFO]      No virus was found!
        Boot sector 'D:\'
              [INFO]      No virus was found!

        Starting to scan the registry.
        The registry was scanned ( '17' files ).


        Starting the file scan:

        Begin scan in 'C:\'
        C:\hiberfil.sys
              [WARNING]   The file could not be opened!
        C:\pagefile.sys
              [WARNING]   The file could not be opened!
        C:\Documents and Settings\Administrator\Desktop\mohaa\wambot.exe
              [DETECTION] Is the Trojan horse TR/Dloader.ATQ
              [WARNING]   The file was ignored!
        C:\_OTMoveIt\MovedFiles\05042008_141143\rkDw.0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '486224b8.qua'!
        C:\_OTMoveIt\MovedFiles\05042008_141143\Documents and Settings\Administrator\Application Data\etbruiyrqm .0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '488024c3.qua'!
        C:\_OTMoveIt\MovedFiles\05042008_141143\Documents and Settings\Administrator\Application Data\etbruiyrqm.0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '488024c5.qua'!
        C:\_OTMoveIt\MovedFiles\05042008_141143\Documents and Settings\Administrator\Application Data\eyouk .0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '488d24cd.qua'!
        C:\_OTMoveIt\MovedFiles\05042008_141143\Documents and Settings\Administrator\Application Data\eyouk.0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '488d24cf.qua'!
        C:\_OTMoveIt\MovedFiles\05042008_141143\Documents and Settings\Administrator\Application Data\fxyebvgcwzy .0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '489724d0.qua'!
        C:\_OTMoveIt\MovedFiles\05042008_141143\Documents and Settings\Administrator\Application Data\fxyebvgcwzy.0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '489724d3.qua'!
        C:\_OTMoveIt\MovedFiles\05042008_141143\Documents and Settings\Administrator\Application Data\pqmvhtkhi.0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '488b24ce.qua'!
        C:\_OTMoveIt\MovedFiles\05042008_141143\Documents and Settings\Administrator\Application Data\ssmm .0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '488b24d2.qua'!
        C:\_OTMoveIt\MovedFiles\05042008_141143\Documents and Settings\Administrator\Application Data\ssmm.0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '488b24d4.qua'!
        C:\_OTMoveIt\MovedFiles\05042008_141143\Documents and Settings\Administrator\Application Data\zjbstyocxdbf .0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '488024cc.qua'!
        C:\_OTMoveIt\MovedFiles\05042008_141143\Documents and Settings\Administrator\Application Data\zjbstyocxdbf.0xe
              [DETECTION] Is the Trojan horse TR/Renos.19456.15
              [NOTE]      The file was moved to '488024ce.qua'!
        Begin scan in 'D:\' <RECOVERY>


        End of the scan: Sunday, May 04, 2008  17:06
        Used time: 19:16 min

        The scan has been done completely.

           4998 Scanning directories
         214523 Files were scanned
             13 viruses and/or unwanted programs were found
              0 Files were classified as suspicious:
              0 files were deleted
              0 files were repaired
             12 files were moved to quarantine
              0 files were renamed
              2 Files cannot be scanned
         214510 Files not concerned
          14282 Archives were scanned
              7 Warnings
             12 Notes



        Deckard's System Scanner v20071014.68
        Run by Administrator on 2008-05-04 17:10:11
        Computer is in Normal Mode.
        --------------------------------------------------------------------------------



        -- HijackThis (run as Administrator.exe) ---------------------------------------

        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 5:10:15 PM, on 5/4/2008
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v7.00 (7.00.6000.16640)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
        C:\WINDOWS\Explorer.EXE
        C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
        C:\Program Files\DNA\btdna.exe
        C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
        C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
        C:\WINDOWS\eHome\ehRecvr.exe
        C:\WINDOWS\eHome\ehSched.exe
        C:\WINDOWS\system32\nvsvc32.exe
        C:\WINDOWS\system32\svchost.exe
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
        C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
        C:\WINDOWS\system32\rsvp.exe
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        C:\WINDOWS\system32\wuauclt.exe
        C:\Documents and Settings\Administrator\Desktop\dss.exe
        C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
        O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
        O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
        O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
        O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
        O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
        O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
        O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
        O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
        O23 - Service: Intel® Alert Service (AlertService) - Unknown owner - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe (file missing)
        O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
        O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
        O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
        O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
        O23 - Service: Intel® Quick Resume technology (ELService) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe (file missing)
        O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
        O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
        O23 - Service: Intel® Viiv(tm) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
        O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
        O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

        --
        End of file - 4155 bytes

        -- Files created between 2008-04-04 and 2008-05-04 -----------------------------

        2008-05-04 16:43:06         0 d-------- C:\Program Files\Avira
        2008-05-04 16:43:06         0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
        2008-05-04 14:20:12       430 --a------ C:\WINDOWS\system32\tmp.reg
        2008-05-04 14:19:38     25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
        2008-05-04 14:19:38    289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
        2008-05-04 14:19:38     86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
        2008-05-04 14:19:38    288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
        2008-05-04 14:19:38     82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
        2008-05-04 14:19:38     51200 --a------ C:\WINDOWS\system32\dumphive.exe
        2008-05-04 14:19:38     82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
        2008-05-04 14:19:37     53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
        2008-05-03 07:59:39         0 d-------- C:\Program Files\Ultra MP3 CD Burner
        2008-05-03 00:33:52         0 d-------- C:\WINDOWS\system32\Kaspersky Lab
        2008-05-03 00:33:52         0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
        2008-05-01 20:38:26         0 d-------- C:\cabs
        2008-05-01 20:38:17  24519680 --a------ C:\Program Files\D00643-001-001.exe
        2008-05-01 20:03:24         0 d-------- C:\Documents and Settings\Administrator\Application Data\teamspeak2
        2008-05-01 20:03:13         0 d-------- C:\Program Files\Teamspeak2_RC2
        2008-05-01 19:56:24         0 d-------- C:\Documents and Settings\Administrator\Application Data\Aim
        2008-05-01 19:56:18         0 d-------- C:\Program Files\Viewpoint
        2008-05-01 19:56:17         0 d-------- C:\Program Files\AOD
        2008-05-01 19:56:15         0 d-------- C:\Program Files\AIM
        2008-04-30 21:13:12     68096 --a------ C:\WINDOWS\zip.exe
        2008-04-30 21:13:12     49152 --a------ C:\WINDOWS\VFind.exe
        2008-04-30 21:13:12    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
        2008-04-30 21:13:12    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
        2008-04-30 21:13:12    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
        2008-04-30 21:13:12     98816 --a------ C:\WINDOWS\sed.exe
        2008-04-30 21:13:12     80412 --a------ C:\WINDOWS\grep.exe
        2008-04-30 21:13:12     73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
        2008-04-29 23:33:17         0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
        2008-04-29 23:29:55         0 d-------- C:\Documents and Settings\Administrator\Application Data\BitTorrent
        2008-04-29 23:29:21         0 d-------- C:\Program Files\DNA
        2008-04-29 23:29:21         0 d-------- C:\Program Files\BitTorrent
        2008-04-29 23:29:21         0 d-------- C:\Documents and Settings\Administrator\Application Data\DNA
        2008-04-29 23:27:11         0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
        2008-04-29 23:27:07         0 d-------- C:\Program Files\Uniblue
        2008-04-29 23:11:39         0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
        2008-04-29 23:11:35         0 d-------- C:\Program Files\Security Task Manager
        2008-04-29 22:41:30         0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
        2008-04-29 22:41:25         0 d-------- C:\Program Files\SUPERAntiSpyware
        2008-04-29 22:41:25         0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
        2008-04-29 22:40:04         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
        2008-04-29 21:27:37         0 d-------- C:\Program Files\Trend Micro
        2008-04-29 20:06:57         0 d-------- C:\WINDOWS\BDOSCAN8
        2008-04-29 18:40:22         0 d-------- C:\Program Files\TweakNow RegCleaner Std
        2008-04-29 18:33:54         0 d-------- C:\WINDOWS\SxsCaPendDel
        2008-04-29 18:15:13         0 d-------- C:\WINDOWS\pss
        2008-04-17 11:58:32         0 d-------- C:\Program Files\iPod


        -- Find3M Report ---------------------------------------------------------------

        2008-05-01 19:06:59         0 d-------- C:\Program Files\Messenger
        2008-05-01 19:06:58         0 d-------- C:\Program Files\iTunes
        2008-05-01 19:06:58         0 d-------- C:\Program Files\Digital Media Reader
        2008-04-30 16:13:18      6754 --a------ C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
        2008-04-29 23:17:46         0 d-------- C:\Program Files\Intel
        2008-04-29 22:40:04         0 d-------- C:\Program Files\Common Files
        2008-04-29 22:23:43         0 d-------- C:\Program Files\Google
        2008-04-29 22:09:33         0 d-------- C:\Program Files\Java
        2008-04-29 22:08:07         0 d-------- C:\Program Files\Netscape Internet Service
        2008-04-29 22:07:52         0 d--h----- C:\Program Files\InstallShield Installation Information
        2008-04-29 22:07:52         0 d-------- C:\Program Files\CyberLink
        2008-04-29 22:04:19         0 d-------- C:\Program Files\Common Files\AOL
        2008-04-29 21:59:34         0 d-------- C:\Program Files\The Weather Channel FW
        2008-04-29 21:57:01         0 d-------- C:\Program Files\Common Files\Real
        2008-04-29 18:28:12         0 d-------- C:\Program Files\Hewlett-Packard
        2008-04-29 18:27:18         0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
        2008-02-12 15:56:24      1158 --a------ C:\WINDOWS\mozver.dat


        -- Registry Dump ---------------------------------------------------------------

        *Note* empty entries & legit default entries are not shown


        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/05/2006 05:28 AM]
        "SigmatelSysTrayApp"="sttray.exe" []
        "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [04/29/2008 11:29 PM]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
        "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
        "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
        "HideLegacyLogonScripts"=0 (0x0)
        "HideLogoffScripts"=0 (0x0)
        "RunLogonScriptSync"=1 (0x1)
        "RunStartupScriptSync"=1 (0x1)
        "HideStartupScripts"=0 (0x0)

        [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
        "HideLegacyLogonScripts"=0 (0x0)
        "HideLogoffScripts"=0 (0x0)
        "RunLogonScriptSync"=1 (0x1)
        "RunStartupScriptSync"=1 (0x1)
        "HideStartupScripts"=0 (0x0)

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
        "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
        C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
        backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\909d1eba]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awola]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93ae2d26]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bnhfygw]
        "C:\Documents and Settings\Administrator\My Documents\T?sks\r?gedit.exe"

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
        C:\WINDOWS\system32\ctfmon.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ealb]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
        "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
        "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Registration]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
        "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
        "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
        C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
        "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
        RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
        nwiz.exe /installquiet /keeploaded /nodetect

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
        NA

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Prdwhxns]
        "C:\Program Files\Common Files\A?pPatch\w?auclt.exe"

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
        C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
        "C:\Program Files\QuickTime\QTTask            .exe" -atboottime

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
        %WINDIR%\SMINST\RECGUARD.EXE

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
        %WINDIR%\Creator\Remind_XP.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
        sttray.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]

        *Newly Created Service* - SSMDRV



        -- End of Deckard's System Scanner: finished at 2008-05-04 17:10:33 ------------
        Logged

        Offline guestolo

        • Site Donator
        • Administrator
        • Hero Member
        • *****
        • Posts: 16034
        • Karma: +1/-0
          • View Profile
          • http://
        lots of trojans
        « Reply #18 on: May 04, 2008, 05:06:32 PM »
        Some registry entries remained behind
        Let's try a different way to remove them

        ==Open Notepad (START>>>RUN>>>type in notepad)
        Hit OK
        Copy the contents of the CODE box, not including the word "code"
        Paste it to the empty Notepad file
        In Notepad click FILE>>SAVE AS
        IMPORTANT>>>Change the Save as Type to All Files.
        Name the file as fix.reg

        Save this file on the desktop
        Ensure to copy from REGEDIT4 and down in the code box

         
        Code: [Select]
        REGEDIT4

        [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\909d1eba]

        [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93ae2d26]

        [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bnhfygw]

        [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ealb]

        [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]

        [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]

        [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

        [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Prdwhxns]

        [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

        [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

        [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]

        Double click on fix.reg and allow to add/merge to the registry at the prompt
        Restart the computer afterwards
        Back in windows

        Run dss.exe one last time and post the new log that opens

        Keep me informed how things are running please
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Offline natro charlo

        • Newbie
        • *
        • Posts: 20
        • Karma: +0/-0
          • View Profile
        lots of trojans
        « Reply #19 on: May 04, 2008, 06:02:10 PM »
        Deckard's System Scanner v20071014.68
        Run by Administrator on 2008-05-04 19:03:24
        Computer is in Normal Mode.
        --------------------------------------------------------------------------------



        -- HijackThis (run as Administrator.exe) ---------------------------------------

        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 7:03:26 PM, on 5/4/2008
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v7.00 (7.00.6000.16640)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
        C:\WINDOWS\Explorer.EXE
        C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
        C:\Program Files\DNA\btdna.exe
        C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
        C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
        C:\WINDOWS\eHome\ehRecvr.exe
        C:\WINDOWS\eHome\ehSched.exe
        C:\WINDOWS\system32\nvsvc32.exe
        C:\WINDOWS\system32\svchost.exe
        C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
        C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
        C:\WINDOWS\system32\rsvp.exe
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        C:\Documents and Settings\Administrator\Desktop\dss.exe
        C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
        O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
        O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
        O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
        O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
        O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
        O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
        O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
        O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
        O23 - Service: Intel® Alert Service (AlertService) - Unknown owner - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe (file missing)
        O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
        O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
        O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
        O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
        O23 - Service: Intel® Quick Resume technology (ELService) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe (file missing)
        O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
        O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
        O23 - Service: Intel® Viiv(tm) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
        O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
        O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

        --
        End of file - 4122 bytes

        -- Files created between 2008-04-04 and 2008-05-04 -----------------------------

        2008-05-04 16:43:06         0 d-------- C:\Program Files\Avira
        2008-05-04 16:43:06         0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
        2008-05-04 14:20:12       430 --a------ C:\WINDOWS\system32\tmp.reg
        2008-05-04 14:19:38     25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
        2008-05-04 14:19:38    289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
        2008-05-04 14:19:38     86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
        2008-05-04 14:19:38    288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
        2008-05-04 14:19:38     82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
        2008-05-04 14:19:38     51200 --a------ C:\WINDOWS\system32\dumphive.exe
        2008-05-04 14:19:38     82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
        2008-05-04 14:19:37     53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
        2008-05-03 07:59:39         0 d-------- C:\Program Files\Ultra MP3 CD Burner
        2008-05-03 00:33:52         0 d-------- C:\WINDOWS\system32\Kaspersky Lab
        2008-05-03 00:33:52         0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
        2008-05-01 20:38:26         0 d-------- C:\cabs
        2008-05-01 20:38:17  24519680 --a------ C:\Program Files\D00643-001-001.exe
        2008-05-01 20:03:24         0 d-------- C:\Documents and Settings\Administrator\Application Data\teamspeak2
        2008-05-01 20:03:13         0 d-------- C:\Program Files\Teamspeak2_RC2
        2008-05-01 19:56:24         0 d-------- C:\Documents and Settings\Administrator\Application Data\Aim
        2008-05-01 19:56:18         0 d-------- C:\Program Files\Viewpoint
        2008-05-01 19:56:17         0 d-------- C:\Program Files\AOD
        2008-05-01 19:56:15         0 d-------- C:\Program Files\AIM
        2008-04-30 21:13:12     68096 --a------ C:\WINDOWS\zip.exe
        2008-04-30 21:13:12     49152 --a------ C:\WINDOWS\VFind.exe
        2008-04-30 21:13:12    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
        2008-04-30 21:13:12    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
        2008-04-30 21:13:12    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
        2008-04-30 21:13:12     98816 --a------ C:\WINDOWS\sed.exe
        2008-04-30 21:13:12     80412 --a------ C:\WINDOWS\grep.exe
        2008-04-30 21:13:12     73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
        2008-04-29 23:33:17         0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
        2008-04-29 23:29:55         0 d-------- C:\Documents and Settings\Administrator\Application Data\BitTorrent
        2008-04-29 23:29:21         0 d-------- C:\Program Files\DNA
        2008-04-29 23:29:21         0 d-------- C:\Program Files\BitTorrent
        2008-04-29 23:29:21         0 d-------- C:\Documents and Settings\Administrator\Application Data\DNA
        2008-04-29 23:27:11         0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
        2008-04-29 23:27:07         0 d-------- C:\Program Files\Uniblue
        2008-04-29 23:11:39         0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
        2008-04-29 23:11:35         0 d-------- C:\Program Files\Security Task Manager
        2008-04-29 22:41:30         0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
        2008-04-29 22:41:25         0 d-------- C:\Program Files\SUPERAntiSpyware
        2008-04-29 22:41:25         0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
        2008-04-29 22:40:04         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
        2008-04-29 21:27:37         0 d-------- C:\Program Files\Trend Micro
        2008-04-29 20:06:57         0 d-------- C:\WINDOWS\BDOSCAN8
        2008-04-29 18:40:22         0 d-------- C:\Program Files\TweakNow RegCleaner Std
        2008-04-29 18:33:54         0 d-------- C:\WINDOWS\SxsCaPendDel
        2008-04-29 18:15:13         0 d-------- C:\WINDOWS\pss
        2008-04-17 11:58:32         0 d-------- C:\Program Files\iPod


        -- Find3M Report ---------------------------------------------------------------

        2008-05-01 19:06:59         0 d-------- C:\Program Files\Messenger
        2008-05-01 19:06:58         0 d-------- C:\Program Files\iTunes
        2008-05-01 19:06:58         0 d-------- C:\Program Files\Digital Media Reader
        2008-04-30 16:13:18      6754 --a------ C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
        2008-04-29 23:17:46         0 d-------- C:\Program Files\Intel
        2008-04-29 22:40:04         0 d-------- C:\Program Files\Common Files
        2008-04-29 22:23:43         0 d-------- C:\Program Files\Google
        2008-04-29 22:09:33         0 d-------- C:\Program Files\Java
        2008-04-29 22:08:07         0 d-------- C:\Program Files\Netscape Internet Service
        2008-04-29 22:07:52         0 d--h----- C:\Program Files\InstallShield Installation Information
        2008-04-29 22:07:52         0 d-------- C:\Program Files\CyberLink
        2008-04-29 22:04:19         0 d-------- C:\Program Files\Common Files\AOL
        2008-04-29 21:59:34         0 d-------- C:\Program Files\The Weather Channel FW
        2008-04-29 21:57:01         0 d-------- C:\Program Files\Common Files\Real
        2008-04-29 18:28:12         0 d-------- C:\Program Files\Hewlett-Packard
        2008-04-29 18:27:18         0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
        2008-02-12 15:56:24      1158 --a------ C:\WINDOWS\mozver.dat


        -- Registry Dump ---------------------------------------------------------------

        *Note* empty entries & legit default entries are not shown


        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/05/2006 05:28 AM]
        "SigmatelSysTrayApp"="sttray.exe" []
        "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [04/29/2008 11:29 PM]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
        "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
        "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
        "HideLegacyLogonScripts"=0 (0x0)
        "HideLogoffScripts"=0 (0x0)
        "RunLogonScriptSync"=1 (0x1)
        "RunStartupScriptSync"=1 (0x1)
        "HideStartupScripts"=0 (0x0)

        [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
        "HideLegacyLogonScripts"=0 (0x0)
        "HideLogoffScripts"=0 (0x0)
        "RunLogonScriptSync"=1 (0x1)
        "RunStartupScriptSync"=1 (0x1)
        "HideStartupScripts"=0 (0x0)

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
        "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
        C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
        backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awola]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
        C:\WINDOWS\system32\ctfmon.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Registration]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
        "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
        "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
        C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
        "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
        RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
        nwiz.exe /installquiet /keeploaded /nodetect

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
        NA

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
        C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
        "C:\Program Files\QuickTime\QTTask            .exe" -atboottime

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
        %WINDIR%\SMINST\RECGUARD.EXE

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
        %WINDIR%\Creator\Remind_XP.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
        sttray.exe




        -- End of Deckard's System Scanner: finished at 2008-05-04 19:03:44 ------------



        seems to be running really good and smooth
        Logged
        Pages: [1] 2
        « previous next »