Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hello, I Just Need To Know If Im Infected With A Keylogger


  • This topic is locked This topic is locked
8 replies to this topic

#1 xLeGenDx

xLeGenDx

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 20 November 2007 - 03:14 AM

Also is Trojan.Agent.AFMX clean? It's used for a hack tool in a game that I play, and It's said that some viruses are required to bypass XTRAP(which is a security tool for a game)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:21 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer3.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\plite731.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\MSN Messenger\usnsvc.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
F2 - REG:system.ini: Shell=Explorer3.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - (no file)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: efccdax - efccdax.dll (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8267 bytes

BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:14 AM

Posted 20 November 2007 - 11:00 AM

Hello and welcome to the forum. :thumbsup:

I would like to give you some help, if you are still in need.

It will take a little while to analyze your log and receive approval from the experts for the fix.

Please be patient and do not start any other threads about this same problem. :blink:

Thanks for your support.

DR

#3 rigacci

rigacci

    Fiorentino


  • Members
  • 2,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:14 AM

Posted 20 November 2007 - 02:48 PM

You do have a couple of bugs. :thumbsup:


Please first run HijackThis (scan only).

Put a check next to the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
F2 - REG:system.ini: Shell=Explorer3.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - (no file)
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O20 - Winlogon Notify: efccdax - efccdax.dll (file missing)



Then click on Fix Checked and let HJT do its thing. :blink:



Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.


Now reboot into Safe Mode:

To get into the Windows 2000 / XP Safe mode, as the computer is booting start tapping your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.



Now navigate to the following folders and delete the Files: :wacko:


C:\WINDOWS\Explorer3.exe

C:\WINDOWS\plite731.exe



Then delete the Folder:


C:\Program Files\MessengerDiscovery (You might have to empty the folder before deleting the folder.)


Now please reboot, but into Normal Mode.


Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



After ATF is finished, reboot again and then do an On-Line Scan.

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy & Paste the entire report in your next reply.




Download Deckard's System Scanner and save it to your Desktop.

* Double click dss.exe and follow the prompts.
* When finished, it will produce a log for you.
* Post the contents of that log in your next reply.
* Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the C:\Deckard\System Scanner folder. You will find two logs in the folder, main.txt and extra.txt.
* Open the main.txt log in Notepad
* Also Copy and Paste its contents in a reply.


Then run HijackThis again to produce a new log and post it here.


You should be posting:

1. F-Secure Report

2. DSS log

3. HijackThis log


Thanks.

DR

#4 xLeGenDx

xLeGenDx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 20 November 2007 - 04:28 PM

I will be submitting all the next information in 10 minutes.

Edited by xLeGenDx, 20 November 2007 - 04:41 PM.


#5 xLeGenDx

xLeGenDx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 20 November 2007 - 09:13 PM

F-Secure Log
Scanning Report
Tuesday, November 20, 2007 16:48:42 - 17:57:24

Computer name: PATRICK
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
Result: 12 malware found
Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System
* System
* System
* System
* System

Trojan-Spy.Win32.Ardamax.e (virus)

* C:\WINDOWS\RESOURCES\THEMES\BLACKLIGHT\TEAMSPEAK STUFF\TEAMSPEAK HACKS\TS CRASHER\CRASH&SPAM.EXE (Renamed & Submitted)
* C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\TEAMSPEAK STUFF\TEAMSPEAK HACKS\TS CRASHER\CRASH&SPAM.EXE (Renamed & Submitted)

W32/Bandok.PM (virus)

* C:\WINDOWS\RESOURCES\THEMES\BLACKLIGHT\MSN FREEZER\MESSBLACK FREEZER BETA.EXE (Submitted)
* C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\MSN FREEZER\MESSBLACK FREEZER BETA.EXE (Submitted)

Statistics
Scanned:

* Files: 41088
* System: 5113
* Not scanned: 7

Actions:

* Disinfected: 1
* Renamed: 2
* Deleted: 0
* None: 9
* Submitted: 4

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{AB27FDB4-8DF4-407B-AB7A-E3951343EBE6}.BIN
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{BDF24B83-DE4A-4B13-95A2-9AD4E2591CF6}.BIN
* C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\TEMP\~ROMFN_000006A4
* C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_2896681894_5242880_186830

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-11-19
* F-Secure AVP: 7.0.171, 2007-11-21
* F-Secure Orion: 1.2.37, 2007-11-20
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 2007-10-30
* F-Secure Pegasus: 1.19.0, 2007-10-18

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics

DSS Log
Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2007-11-20 16:43:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:47 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_ADM~1.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6050 bytes

-- Files created between 2007-10-20 and 2007-11-20 -----------------------------

2007-11-20 16:14:42 0 d-------- C:\Program Files\MSN Messenger
2007-11-20 14:13:26 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-20 14:12:52 0 d-------- C:\Program Files\Windows Live
2007-11-20 14:12:41 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-20 13:56:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2007-11-19 23:48:36 0 d-------- C:\Program Files\Trend Micro
2007-11-19 13:24:08 0 d-------- C:\Direct X 9.0 files
2007-11-19 13:20:00 0 d-------- C:\Program Files\WarRock
2007-11-19 13:19:43 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\InstallShield
2007-11-17 21:47:10 583680 --a------ C:\WINDOWS\system32\mshelp.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-17 09:07:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2007-11-17 00:26:25 0 d-------- C:\Program Files\WinAVI Video Converter
2007-11-16 20:32:56 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\DivX
2007-11-15 18:36:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-11-15 18:21:28 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-15 17:53:53 0 d-------- C:\Program Files\ImTOO
2007-11-15 00:57:15 0 d-------- C:\My Zune
2007-11-15 00:53:07 1 --a------ C:\WINDOWS\system32\SysVideotoZune.dat
2007-11-14 19:42:24 0 d-------- C:\Program Files\Ventrilo
2007-11-13 16:02:31 0 d-------- C:\temp
2007-11-13 16:02:14 0 d-------- C:\Program Files\PQDVD
2007-11-12 17:10:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-12 17:09:14 0 dr-h----- C:\MSOCache
2007-11-12 14:53:54 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-11-12 14:53:53 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-11-12 14:53:43 0 d-------- C:\Program Files\Sygate
2007-11-12 14:27:19 0 d-------- C:\NVIDIA
2007-11-12 14:23:58 0 d-------- C:\Program Files\SystemRequirementsLab
2007-11-12 14:23:52 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\SystemRequirementsLab
2007-11-12 03:11:39 0 d-------- C:\Documents and Settings\HP_Administrator\download
2007-11-12 03:11:39 0 d-------- C:\Documents and Settings\HP_Administrator\.kvirc
2007-11-12 03:10:14 0 d-------- C:\Program Files\KVIrc
2007-11-12 02:59:55 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\mIRC
2007-11-12 02:17:37 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\BitTorrent
2007-11-12 02:17:02 0 d-------- C:\Program Files\BitTorrent_DNA
2007-11-12 02:17:02 0 d-------- C:\Program Files\BitTorrent
2007-11-12 02:17:02 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\BitTorrent DNA
2007-11-12 01:16:48 0 d-------- C:\programdata
2007-11-12 00:42:53 0 d-------- C:\Downloads
2007-11-12 00:42:53 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\GetRightToGo
2007-11-10 16:42:32 0 d-------- C:\Program Files\MSXML 6.0
2007-11-10 16:15:42 0 d-------- C:\Program Files\iCall
2007-11-10 14:04:44 0 d-------- C:\Program Files\Steam
2007-11-10 13:02:25 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2007-11-09 21:21:55 0 d-------- C:\Program Files\DIFX
2007-11-09 21:21:32 0 d-------- C:\Program Files\Common Files\ComponentOne
2007-11-09 21:21:28 0 d-------- C:\Program Files\Zune
2007-11-09 21:18:52 0 d-------- C:\WINDOWS\system32\LogFiles
2007-11-09 21:18:52 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-07 16:33:18 0 d--h----- C:\Chl0rid3 Productions
2007-11-06 22:03:57 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2007-11-05 20:57:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Xfire
2007-11-05 20:57:17 0 d-------- C:\Program Files\Xfire
2007-11-05 19:32:40 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Sonic
2007-11-05 19:32:28 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Leadertech
2007-11-04 23:52:59 0 d-------- C:\Program Files\Wondershare
2007-11-04 20:59:38 0 d-------- C:\Program Files\HTV
2007-11-03 00:44:35 0 d-------- C:\Program Files\Web Publish
2007-11-03 00:26:55 103424 --a------ C:\WINDOWS\extrac32.exe <Not Verified; Microsoft Corporation; Microsoft ® CAB File Extract Utility>
2007-11-02 23:40:55 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\HPQ
2007-11-02 20:32:51 0 d-------- C:\Program Files\DivX
2007-10-30 22:55:54 0 d-------- C:\Program Files\Teamspeak2_RC2
2007-10-30 00:19:26 0 d-------- C:\Program Files\MSXML 4.0
2007-10-29 23:34:36 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Template
2007-10-29 23:34:25 0 --a------ C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-10-29 01:01:00 0 d-------- C:\WINDOWS\system32\PreInstall
2007-10-28 23:53:42 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-10-28 21:43:33 294668 --a------ C:\WINDOWS\frexup2.exe
2007-10-28 21:38:32 0 d-------- C:\WINDOWS\Sun
2007-10-28 21:38:31 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Sun
2007-10-28 21:07:51 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\TuneUp Software
2007-10-28 21:07:43 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-10-28 21:07:37 0 d-------- C:\Program Files\TuneUp Utilities 2007
2007-10-28 20:06:06 0 d-------- C:\Program Files\BreakPoint Software
2007-10-28 19:40:44 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinRAR
2007-10-28 18:14:07 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\teamspeak2
2007-10-28 17:54:13 0 d---s---- C:\Documents and Settings\HP_Administrator\UserData
2007-10-26 21:48:05 0 d--h----- C:\WINDOWS\PIF
2007-10-26 21:35:29 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Ventrilo
2007-10-26 21:34:21 0 d-------- C:\Program Files\Ares
2007-10-26 21:33:19 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-26 21:30:29 0 d-------- C:\Documents and Settings\HP_Administrator\Contacts
2007-10-26 21:30:00 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-10-26 21:15:25 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-26 21:15:23 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla
2007-10-26 10:27:46 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-26 08:20:23 0 d-------- C:\WINDOWS\pss
2007-10-26 08:17:45 270336 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-10-26 08:17:45 502368 --a------ C:\WINDOWS\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>
2007-10-25 13:22:43 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Macromedia
2007-10-25 13:03:09 0 d-------- C:\Program Files\HyperEngines
2007-10-25 12:54:31 0 d-------- C:\Program Files\Knight Online
2007-10-25 12:31:24 0 d-------- C:\WINDOWS\system32\appmgmt
2007-10-25 12:20:14 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\HP
2007-10-25 12:18:33 0 dr-hs---- C:\cmdcons
2007-10-25 12:18:31 0 d-------- C:\WINDOWS\setup.pss
2007-10-25 12:18:29 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent
2007-10-25 12:15:34 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Intuit
2007-10-25 12:15:34 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Identities
2007-10-25 12:15:33 0 d-------- C:\Documents and Settings\HP_Administrator\WINDOWS
2007-10-25 12:15:33 0 d--h----- C:\Documents and Settings\HP_Administrator\Templates
2007-10-25 12:15:33 0 dr------- C:\Documents and Settings\HP_Administrator\Start Menu
2007-10-25 12:15:33 0 dr-h----- C:\Documents and Settings\HP_Administrator\SendTo
2007-10-25 12:15:33 0 d--h----- C:\Documents and Settings\HP_Administrator\PrintHood
2007-10-25 12:15:33 3145728 --ah----- C:\Documents and Settings\HP_Administrator\NTUSER.DAT
2007-10-25 12:15:33 0 d--h----- C:\Documents and Settings\HP_Administrator\NetHood
2007-10-25 12:15:33 0 dr------- C:\Documents and Settings\HP_Administrator\My Documents
2007-10-25 12:15:33 0 d--h----- C:\Documents and Settings\HP_Administrator\Local Settings
2007-10-25 12:15:33 0 dr------- C:\Documents and Settings\HP_Administrator\Favorites
2007-10-25 12:15:33 0 d-------- C:\Documents and Settings\HP_Administrator\Desktop
2007-10-25 12:15:33 0 d---s---- C:\Documents and Settings\HP_Administrator\Cookies
2007-10-25 12:15:33 0 dr-h----- C:\Documents and Settings\HP_Administrator\Application Data
2007-10-25 12:15:33 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Real
2007-10-25 12:14:27 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2007-10-25 12:13:49 0 d-------- C:\Documents and Settings\Default User\WINDOWS
2007-10-25 12:13:49 0 d-------- C:\Documents and Settings\Default User\Application Data\Real
2007-10-25 12:13:49 0 d-------- C:\Documents and Settings\Default User\Application Data\Intuit
2007-10-25 12:13:03 0 d-------- C:\WINDOWS\Prefetch
2007-10-25 12:12:07 182 --a------ C:\WINDOWS\system\hpsysdrv.DAT
2007-10-25 12:09:54 0 d--hs---- C:\System Volume Information
2007-10-25 11:54:41 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-10-25 11:54:41 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-10-25 11:54:41 0 d--h----- C:\Documents and Settings\Default User\Local Settings
2007-10-25 11:54:41 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-10-25 11:54:40 0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-10-25 11:54:00 0 dr------- C:\Documents and Settings\All Users\Documents
2007-10-25 11:53:46 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-10-25 11:53:46 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-10-25 11:53:46 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-10-25 11:53:46 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-10-25 11:53:45 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-10-25 11:53:43 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-10-25 11:53:43 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-10-25 11:52:18 0 dr------- C:\WINDOWS\Offline Web Pages
2007-10-25 11:49:10 0 dr-hs---- C:\WINDOWS\system32\dllcache


-- Find3M Report ---------------------------------------------------------------

2007-11-20 14:13:26 0 d-------- C:\Program Files\Common Files
2007-11-19 13:19:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-12 17:15:57 0 d-------- C:\Program Files\Microsoft Works
2007-11-04 10:01:08 0 d-------- C:\Program Files\Java
2007-10-25 12:31:44 0 d-------- C:\Program Files\Common Files\Real
2007-10-25 12:20:14 112954 --a------ C:\WINDOWS\hpoins07.dat
2007-10-19 16:56:16 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-10-19 16:54:28 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-10-19 16:54:28 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-10-19 16:54:12 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-10-19 16:54:12 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-19 16:54:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-19 16:54:10 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-18 01:02:34 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-04 17:14:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-10-04 17:14:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-10-04 17:14:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-04 17:14:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-10-04 17:14:00 1478656 --a------ C:\WINDOWS\system32\nview.dll
2007-10-04 17:14:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-10-04 17:14:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-10-04 17:14:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB5B012-E8CB-46cd-B6D2-ED428FAE9043}]
C:\Program Files\ISM\BndDrive5.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 08:01 PM]
"RTHDCPL"="RTHDCPL.EXE" [03/08/2006 03:54 AM C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/02/2005 10:19 PM C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/04/2007 05:14 PM]
"nwiz"="nwiz.exe" [10/04/2007 05:14 PM C:\WINDOWS\system32\nwiz.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/01/2005 10:35 PM]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [03/20/2006 08:05 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/22/2005 09:14 PM]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/15/2006 09:34 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [12/15/2005 05:18 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [10/26/2007 08:17 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/04/2007 05:14 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/09/2004 08:00 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"ares"="C:\Program Files\Ares\Ares.exe" [07/16/2007 01:54 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 03:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Net Send GUI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Net Send GUI.lnk
backup=C:\WINDOWS\pss\Net Send GUI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\BitTorrent_DNA\dna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iCall Internet Phone]
"C:\Program Files\iCall\iCall.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack6]
"C:\Program Files\ISM2\ISMPack6.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
"C:\Program Files\Zune\ZuneLauncher.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- End of Deckard's System Scanner: finished at 2007-11-20 16:44:21 ------------

HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:33 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6137 bytes

Please reply ASAP, I really need to be secured. Thanks so much for all your help!!!

#6 rigacci

rigacci

    Fiorentino


  • Members
  • 2,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:14 AM

Posted 22 November 2007 - 09:12 AM

OK, you look clean now. :wacko:

It looks like you were infected with Trojan-Spy.Win32.Ardamax.e which is indeed a keylogger. :blink:

Keyloggers are applications that monitor a user's keystrokes and then send this information back to the malicious user. This can happen via email or to a malicious user's server somewhere on the Internet. These logs can then be used to collect email and online banking usernames and passwords from unsuspecting users or even capture source code being developed in software firms.

While keyloggers have been around for a long time, the growth of spyware over the last few years means they warrant renewed attention. In particular, this is due to the relative ease at which a computer can become infected -- a user simply has to visit the wrong website to become infected.


And here is a link to an interesting article: :thumbsup:

http://www.securityfocus.com/infocus/1829



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.


DR

#7 xLeGenDx

xLeGenDx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 22 November 2007 - 04:24 PM

I GREATLY appreciate your help with issue, I understand how keyloggers work :thumbsup:. My logs were being sent to an FTP server which I now have access to. I run NOD32 antivirus and Sygate firewall.
Thanks and It was really worth it doing this whole procedure with you.

#8 rigacci

rigacci

    Fiorentino


  • Members
  • 2,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:14 AM

Posted 23 November 2007 - 06:19 AM

Glad we could be of service. :blink:

Have a safe holiday season. :thumbsup:

DR

#9 rigacci

rigacci

    Fiorentino


  • Members
  • 2,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:14 AM

Posted 23 November 2007 - 06:57 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users