 Warning Spyware Detected On Your Computer, Desktop Hijacked/Random Blue Screens of death |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
| Important Announcement: We have a terrific contest still running on the site that I wanted all our members and guests to know about. The chance to win two Seagate FreeAgent external hard drives. More information about this contest can be found here. I suggest everyone submit an entry for them. - BleepingComputer Management |
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Jun 29 2008, 07:44 PM
Post
#1
|
|
|
Member  Group: Members Posts: 16 Joined: 26-May 07 Member No.: 133,096  |
I hope someone can help me with this major prob Couple nights ago shutdown PC everything fine then then next morning booted up and the desktop background has changed to: ''Warning Spyware detected on your computer! Install antivirus or spyware remover to clean computer'' now it seems like somebody went on the Internet while I was asleep and got the PC hijacked and its all messed up now (I'm hunting down who's responsible as I type) Now I've never had this before but straightaway there are some suspicious things going 1) Desktop background changed (and cannot change back to previous) 2) a program called ''Antivirus XP'' is installed 3) PC keeps rebooting over and over again with the the odd flash of blue screen of death I've already run my most up-to-date Spybot, Ad-aware, & AVG all of which detected a load of stuff With the scanning done and all the trojans etc. deleted (or at least I think they are) the problem still exists After following the prep guide here is my copy of the generated DSS report along with the Kaspersky log too Cheers. Deckard's System Scanner v20071014.68 Run by S. Rahman on 2008-06-30 01:41:39 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- -- Last 5 Restore Point(s) -- 6: 2008-06-29 18:05:07 UTC - RP7 - Deckard's System Scanner Restore Point 5: 2008-06-29 18:03:44 UTC - RP6 - Installed Java™ 6 Update 6 4: 2008-06-29 17:57:57 UTC - RP5 - Removed J2SE Runtime Environment 5.0 Update 12 3: 2008-06-29 13:24:11 UTC - RP4 - Deckard's System Scanner Restore Point 2: 2008-06-29 00:42:14 UTC - RP3 - Last good restore point -- First Restore Point -- 1: 2008-06-29 00:41:53 UTC - RP2 - System Checkpoint System Drive C: has 2.78 GiB (less than 15%) free. -- HijackThis (run as S. Rahman.exe) ------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 01:42:08, on 30/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Kontiki\KService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TVersity\Media Server\MediaServer.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\IconLock\ICONLOCK.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\S. Rahman\desktop\dss.exe C:\PROGRA~1\HIJACK~1\S. Rahman.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: IconHlprObj Class - {03183603-F684-11d2-A17F-00A0C90AE44B} - C:\PROGRA~1\IconLock\LockHlpr.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [IconLock] "C:\Program Files\IconLock\ICONLOCK.EXE" O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [lphctp8j0eg2l] C:\WINDOWS\system32\lphctp8j0eg2l.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.amaena.com O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201211255828 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab O20 - Winlogon Notify: winjgf32 - winjgf32.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Online Services - Unknown owner - C:\Documents and Settings\S. Rahman\ie_updates3r.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe -- End of file - 7783 bytes -- File Associations ----------------------------------------------------------- .js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7 .js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1" -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©> R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System> R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System> R0 Pru58 - c:\windows\system32\drivers\pru58.sys (file missing) R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System> R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System> R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System> R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System> R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver> R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System> R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu> R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt> R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools> R2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT> R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver> R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes; CDRTools> R3 PxHelper - c:\windows\system32\drivers\pxhelper.sys <Not Verified; VERITAS Software, Inc.; PxHelp20> R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil> S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil> S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver> S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913> S3 sysrest.sys - c:\windows\system32\sysrest.sys S3 tbntnd5 (USB Cable Modem NDIS driver) - c:\windows\system32\drivers\tbntnd5.sys <Not Verified; MCCI; USB Cable Modem> S3 tbntunic (USB Cable Modem WDM driver) - c:\windows\system32\drivers\tbntunic.sys <Not Verified; MCCI; USB Cable Modem> S3 U81xbus (LGE U8XXX driver (WDM)) - c:\windows\system32\drivers\u81xbus.sys <Not Verified; MCCI; LG Electronics U8110> S3 U81xmdfl (LGE U8XXX USB WMC Modem Filter) - c:\windows\system32\drivers\u81xmdfl.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem Filter Driver> S3 U81xmdm (LGE U8XXX USB WMC Modem Driver) - c:\windows\system32\drivers\u81xmdm.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem> S3 U81xmgmt (LGE U8XXX USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\u81xmgmt.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Device Management> S3 U81xobex (LGE U8XXX USB WMC OBEX Interface) - c:\windows\system32\drivers\u81xobex.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC OBEX Interface> S3 WUSB54GPV4SRV (Wireless-G Portable USB Adapter Driver) - c:\windows\system32\drivers\rt2500usb.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless USB Adapters> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe R2 TVersityMediaServer - c:\program files\tversity\media server\mediaserver.exe S2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" (file missing) S2 Google Online Services - c:\documents and settings\s. rahman\ie_updates3r.exe -a (file missing) S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)> S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon> S4 Active HelpAssistants - c:\windows\iis\iissets (file missing) S4 SBCSSvc (Sunbelt CounterSpy Antispyware) - "c:\program files\sunbelt software\counterspy\sbcssvc.exe" (file missing) -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Realtek RTL8139 Family PCI Fast Ethernet NIC Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&0&98 Manufacturer: Realtek Name: Realtek RTL8139 Family PCI Fast Ethernet NIC PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&0&98 Service: rtl8139 Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318} Description: Plug and Play BIOS Extension Device ID: ROOT\SYSTEM\0003 Manufacturer: (Standard system devices) Name: Plug and Play BIOS Extension PNP Device ID: ROOT\SYSTEM\0003 Service: a347bus Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318} Description: PnP BIOS Extension Device ID: ROOT\SYSTEM\0004 Manufacturer: (Standard system devices) Name: PnP BIOS Extension PNP Device ID: ROOT\SYSTEM\0004 Service: d347bus -- Scheduled Tasks ------------------------------------------------------------- 2008-06-30 01:00:02 350 --a------ C:\WINDOWS\Tasks\At74.job 2008-06-30 01:00:01 350 --a------ C:\WINDOWS\Tasks\At50.job 2008-06-30 01:00:01 350 --a------ C:\WINDOWS\Tasks\At26.job 2008-06-30 00:00:00 350 --a------ C:\WINDOWS\Tasks\At73.job 2008-06-30 00:00:00 350 --a------ C:\WINDOWS\Tasks\At49.job 2008-06-29 23:00:00 350 --a------ C:\WINDOWS\Tasks\At96.job 2008-06-29 23:00:00 350 --a------ C:\WINDOWS\Tasks\At72.job 2008-06-29 23:00:00 350 --a------ C:\WINDOWS\Tasks\At48.job 2008-06-29 22:00:00 350 --a------ C:\WINDOWS\Tasks\At95.job 2008-06-29 22:00:00 350 --a------ C:\WINDOWS\Tasks\At71.job 2008-06-29 22:00:00 350 --a------ C:\WINDOWS\Tasks\At47.job 2008-06-29 21:00:00 350 --a------ C:\WINDOWS\Tasks\At94.job 2008-06-29 21:00:00 350 --a------ C:\WINDOWS\Tasks\At70.job 2008-06-29 21:00:00 350 --a------ C:\WINDOWS\Tasks\At46.job 2008-06-29 20:00:00 350 --a------ C:\WINDOWS\Tasks\At93.job 2008-06-29 20:00:00 350 --a------ C:\WINDOWS\Tasks\At69.job 2008-06-29 20:00:00 350 --a------ C:\WINDOWS\Tasks\At45.job 2008-06-29 18:00:00 350 --a------ C:\WINDOWS\Tasks\At91.job 2008-06-29 18:00:00 350 --a------ C:\WINDOWS\Tasks\At67.job 2008-06-29 18:00:00 350 --a------ C:\WINDOWS\Tasks\At43.job 2008-06-29 17:00:00 350 --a------ C:\WINDOWS\Tasks\At90.job 2008-06-29 17:00:00 350 --a------ C:\WINDOWS\Tasks\At66.job 2008-06-29 17:00:00 350 --a------ C:\WINDOWS\Tasks\At42.job 2008-06-29 16:00:00 350 --a------ C:\WINDOWS\Tasks\At89.job 2008-06-29 16:00:00 350 --a------ C:\WINDOWS\Tasks\At65.job 2008-06-29 16:00:00 350 --a------ C:\WINDOWS\Tasks\At41.job 2008-06-29 15:00:00 350 --a------ C:\WINDOWS\Tasks\At88.job 2008-06-29 15:00:00 350 --a------ C:\WINDOWS\Tasks\At64.job 2008-06-29 15:00:00 350 --a------ C:\WINDOWS\Tasks\At40.job 2008-06-29 14:00:00 350 --a------ C:\WINDOWS\Tasks\At87.job 2008-06-29 14:00:00 350 --a------ C:\WINDOWS\Tasks\At63.job 2008-06-29 14:00:00 350 --a------ C:\WINDOWS\Tasks\At39.job 2008-06-29 13:00:00 350 --a------ C:\WINDOWS\Tasks\At86.job 2008-06-29 13:00:00 350 --a------ C:\WINDOWS\Tasks\At62.job 2008-06-29 13:00:00 350 --a------ C:\WINDOWS\Tasks\At38.job 2008-06-29 02:00:00 350 --a------ C:\WINDOWS\Tasks\At75.job 2008-06-29 02:00:00 350 --a------ C:\WINDOWS\Tasks\At51.job 2008-06-29 02:00:00 350 --a------ C:\WINDOWS\Tasks\At27.job 2008-06-26 19:00:00 350 --a------ C:\WINDOWS\Tasks\At92.job 2008-06-26 19:00:00 350 --a------ C:\WINDOWS\Tasks\At68.job 2008-06-26 19:00:00 350 --a------ C:\WINDOWS\Tasks\At44.job 2008-06-26 12:00:00 350 --a------ C:\WINDOWS\Tasks\At85.job 2008-06-26 12:00:00 350 --a------ C:\WINDOWS\Tasks\At61.job 2008-06-26 12:00:00 350 --a------ C:\WINDOWS\Tasks\At37.job 2008-06-26 11:00:00 350 --a------ C:\WINDOWS\Tasks\At84.job 2008-06-26 11:00:00 350 --a------ C:\WINDOWS\Tasks\At60.job 2008-06-26 11:00:00 350 --a------ C:\WINDOWS\Tasks\At36.job 2008-06-26 10:00:00 350 --a------ C:\WINDOWS\Tasks\At83.job 2008-06-26 10:00:00 350 --a------ C:\WINDOWS\Tasks\At59.job 2008-06-26 10:00:00 350 --a------ C:\WINDOWS\Tasks\At35.job 2008-06-26 09:00:00 350 --a------ C:\WINDOWS\Tasks\At82.job 2008-06-26 09:00:00 350 --a------ C:\WINDOWS\Tasks\At58.job 2008-06-26 09:00:00 350 --a------ C:\WINDOWS\Tasks\At34.job 2008-06-26 08:00:00 350 --a------ C:\WINDOWS\Tasks\At81.job 2008-06-26 08:00:00 350 --a------ C:\WINDOWS\Tasks\At57.job 2008-06-26 08:00:00 350 --a------ C:\WINDOWS\Tasks\At33.job 2008-06-26 07:00:00 350 --a------ C:\WINDOWS\Tasks\At80.job 2008-06-26 07:00:00 350 --a------ C:\WINDOWS\Tasks\At56.job 2008-06-26 07:00:00 350 --a------ C:\WINDOWS\Tasks\At32.job 2008-06-26 06:00:00 350 --a------ C:\WINDOWS\Tasks\At79.job 2008-06-26 06:00:00 350 --a------ C:\WINDOWS\Tasks\At55.job 2008-06-26 06:00:00 350 --a------ C:\WINDOWS\Tasks\At31.job 2008-06-26 05:00:00 350 --a------ C:\WINDOWS\Tasks\At78.job 2008-06-26 05:00:00 350 --a------ C:\WINDOWS\Tasks\At54.job 2008-06-26 05:00:00 350 --a------ C:\WINDOWS\Tasks\At30.job 2008-06-26 04:00:00 350 --a------ C:\WINDOWS\Tasks\At77.job 2008-06-26 04:00:00 350 --a------ C:\WINDOWS\Tasks\At53.job 2008-06-26 04:00:00 350 --a------ C:\WINDOWS\Tasks\At29.job 2008-06-26 03:00:00 350 --a------ C:\WINDOWS\Tasks\At76.job 2008-06-26 03:00:00 350 --a------ C:\WINDOWS\Tasks\At52.job 2008-06-26 03:00:00 350 --a------ C:\WINDOWS\Tasks\At28.job 2008-06-24 14:11:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-05-30 and 2008-06-30 ----------------------------- 2008-06-29 23:44:46 0 d-------- C:\fsaua.data 2008-06-29 23:02:20 0 dr-h----- C:\Documents and Settings\S. Rahman\Recent 2008-06-29 19:03:46 0 d-------- C:\Program Files\Common Files\Java 2008-06-29 19:02:29 15328 --a------ C:\WINDOWS\system32\sysrest.sys 2008-06-28 15:17:04 0 d-------- C:\Program Files\microsoft frontpage 2008-06-28 13:12:11 0 dr-h----- C:\Documents and Settings\Administrator\Recent 2008-06-28 13:06:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-06-28 13:05:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\rhcpp8j0eg2l 2008-06-27 11:18:39 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\rhcpp8j0eg2l 2008-06-27 01:39:27 17920 --a------ C:\WINDOWS\system32\nloz760.exe 2008-06-27 01:37:24 60928 --a------ C:\WINDOWS\system32\blphctp8j0eg2l.scr <Not Verified; Sysinternals; Sysinternals Blue Screen> 2008-06-27 01:37:15 109056 --a------ C:\WINDOWS\system32\lphctp8j0eg2l.exe 2008-06-09 23:41:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft -- Find3M Report --------------------------------------------------------------- 2008-06-29 19:04:17 0 d-------- C:\Program Files\Java 2008-06-29 19:03:46 0 d-------- C:\Program Files\Common Files 2008-06-28 15:17:35 0 d-------- C:\Program Files\Kontiki 2008-06-26 08:16:02 0 d-------- C:\Program Files\eMule 2008-06-24 13:36:24 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\Adobe 2008-06-22 23:17:06 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\uTorrent 2008-06-09 23:42:23 0 d-------- C:\Program Files\Lavasoft 2008-06-09 23:42:21 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\Lavasoft 2008-06-09 23:41:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-08 15:09:14 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\AVG7 2008-06-08 15:08:10 0 d-------- C:\Program Files\Bonjour 2008-05-22 23:00:28 0 d-------- C:\Program Files\Common Files\Adobe 2008-05-19 19:11:47 0 d-------- C:\Program Files\TVersity Codec Pack 2008-05-17 01:30:07 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\Xfire 2008-05-16 21:16:24 0 d---s---- C:\Program Files\Xfire 2008-05-13 22:50:26 0 d-------- C:\Program Files\AC3Filter 2008-05-13 01:24:15 0 d-------- C:\Program Files\Windows Media Connect 2 2008-05-11 14:47:17 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\SopCast -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [10/02/2003 08:59 C:\WINDOWS\SOUNDMAN.EXE] "IconLock"="C:\Program Files\IconLock\ICONLOCK.EXE" [29/08/1999 09:01] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [15/04/2008 09:56] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15/10/2004 20:40] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2005 00:34] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [25/10/2006 19:58] "lphctp8j0eg2l"="C:\WINDOWS\system32\lphctp8j0eg2l.exe" [27/06/2008 01:37] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [28/06/2007 15:09] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [28/02/2007 23:06] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "NoDispBackgroundPage"=1 (0x1) "NoDispScrSavPage"=1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "NoDispBackgroundPage"=0 (0x0) "NoDispScrSavPage"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) "NoResolveSearch"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjgf32] winjgf32.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pru58.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk] backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50a2a32e-4889-11da-a518-806d6172696f}] AutoRun\command- G:\launcher.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655278ae-49fa-11da-a8c1-806d6172696f}] AutoRun\command- G:\launcher.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5136ef0-ee80-11d9-a8e5-806d6172696f}] AutoRun\command- G:\launcher.exe *Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER -- End of Deckard's System Scanner: finished at 2008-06-30 01:42:29 ------------ ================================================================================ ====================== Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: AMD Athlon™ XP 3000+ Percentage of Memory in Use: 60% Physical Memory (total/avail): 511.48 MiB / 199.63 MiB Pagefile Memory (total/avail): 1249.03 MiB / 725.98 MiB Virtual Memory (total/avail): 2047.88 MiB / 1940.3 MiB C: is Fixed (NTFS) - 24.41 GiB total, 2.78 GiB free. D: is CDROM (No Media) E: is Fixed (NTFS) - 124.63 GiB total, 0.2 GiB free. F: is CDROM (No Media) G: is Fixed (NTFS) - 465.76 GiB total, 0.36 GiB free. \\.\PHYSICALDRIVE0 - WDC WD1600BB-00GUA0 - 149.05 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 24.41 GiB - C: \PARTITION1 - Installable File System - 124.63 GiB - E: \\.\PHYSICALDRIVE1 - ST350083 0A USB Device - 465.76 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 465.76 GiB - G: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is disabled. FirstRunDisabled is set. AntiVirusDisableNotify is set. FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.) AV: AVG 7.5.524 v7.5.524 (Grisoft) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil" "C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:utorrent" "C:\\Documents and Settings\\Guest\\My Documents\\My Music\\realplay.exe"="C:\\Documents and Settings\\Guest\\My Documents\\My Music\\realplay.exe:*:Enabled:RealPlayer" "C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service" "C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Disabled:Football Manager 2008" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Documents and Settings\\S. Rahman\\Local Settings\\Temp\\.ttB.tmp"="C:\\Documents and Settings\\S. Rahman\\Local Settings\\Temp\\.ttB.tmp:*:Enabled:enable" "C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\S. Rahman\Application Data CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip CLIENTNAME=Console COLLECTIONID=COL8143 CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=S-987DB4BA93644 ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HMSERVER=https://wwss1pro.cce.hp.com/wuss/servlet/WUSSServlet HOMEDRIVE=C: HOMEPATH=\Documents and Settings\S. Rahman ITEMID=dj-22741-15 LANG=2057 LOGONSERVER=\\S-987DB4BA93644 NUMBER_OF_PROCESSORS=1 OS=Windows_NT OSVER=winXPP Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Satsuki Decoder Pack\filtres PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0a00 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip SESSIONID=1113240886681htx69410c69:1033c96b3c4:-1741 SESSIONNAME=Console SWUTVER=1.0.1.1 SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\S7462~1.RAH\LOCALS~1\Temp TIMEOUT=0 TMP=C:\DOCUME~1\S7462~1.RAH\LOCALS~1\Temp TOOLPATH=/C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm UPDATEDIR=C:\DOCUME~1\S7462~1.RAH\LOCALS~1\Temp\radB93D7.tmp USERDOMAIN=S-987DB4BA93644 USERNAME=S. Rahman USERPROFILE=C:\Documents and Settings\S. Rahman VERSION=3.0.5.001 windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- S. Rahman (admin) Administrator (admin) Guest (guest) -- Add/Remove Programs --------------------------------------------------------- --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf µTorrent --> "C:\Program Files\uTorrent\uninstall.exe" AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll" Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95} Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61} Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394} Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23} Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C} Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C} Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E} Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9} Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8} Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029} Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5} Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D} Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD} Adobe Dreamweaver CS3 --> C:\Program Files\Common Files\Adobe\Installers\435a6af7459cb02a9c1138113a26e93\Setup.exe Adobe Dreamweaver CS3 --> MsiExec.exe /I{F01D5ED5-D53A-4468-B428-149DC2CB3110} Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8} Adobe Extension Manager CS3 --> MsiExec.exe /I{D7A53E41-3F32-4A44-989C-53DDEBB2130C} Adobe Fireworks CS3 --> C:\Program Files\Common Files\Adobe\Installers\bbef028176efa5abf0233d3e1747be8\Setup.exe Adobe Fireworks CS3 --> MsiExec.exe /I{E16110F7-1C85-4675-99F4-7938F832C825} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B} Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245} Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078} Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C} Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05} Adobe Setup --> MsiExec.exe /I{15C768E2-AB61-4DE3-952F-6B237A834951} Adobe Setup --> MsiExec.exe /I{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1} Adobe Setup --> MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D} Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462} Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183} Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312} Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8} Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5} Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6} Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923} Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D} AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL AVI/MPEG/ASF/WMV Splitter 3.25 --> "C:\Program Files\AVI MPEG ASF WMV Splitter\unins000.exe" BBC iPlayer Download Manager --> MsiExec.exe /I {D466F3D9-510C-4729-B7D4-2E70490E4CDF} BitComet 0.85 --> C:\Program Files\BitComet\uninst.exe BlueSoleil --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}\setup.exe" -l0x9 CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" CDXA Image Reader Filter (SVCD/XCD) (remove only) --> "C:\Program Files\CDXA Image Reader Filter (SVCDXCD)\uninstall.exe" CloneDVD --> "C:\Program Files\Elaborate Bytes\CloneDVD\CloneDVD-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD" Direct Show Ogg Vorbis Filter (remove only) --> "C:\WINDOWS\system32\OggDSuninst.exe" DirectShow subtitle filter colleciton (remove only) --> "C:\WINDOWS\system32\SubtitDSuninst.exe" DirectVobSub (remove only) --> "C:\Program Files\DirectVobSub\uninstall.exe" EasyStudio Image Editor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{946822A3-F5D6-43B6-8335-9113A03773DC}\setup.exe" -l0x9 EAX4 Unified Redist --> MsiExec.exe /X{89661B04-C646-4412-B6D3-5E19F02F1F37} eMule --> "C:\Program Files\eMule\Uninstall.exe" Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu" ffdshow [rev 1324] [2007-07-01] --> "C:\Program Files\Satsuki Decoder Pack\filtres\unins000.exe" Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll" hp deskjet 5100 --> msiexec /x{FEDA56C4-82F3-46DD-8B50-FC592BBE1C0D} HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D} IconLock --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IconLock\DeIsL1.isu" -c"C:\Program Files\IconLock\LOCKDLL.dll" iPod for Windows 2006-01-10 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033 IsoBuster 1.4 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe" iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4} Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060} LogMeIn --> MsiExec.exe /I{3FEC3A5B-60FF-4626-B425-08E09B121A15} Microsoft AutoRoute 2005 --> MsiExec.exe /I{67E4EE98-59F4-4220-89A6-A20AF5BEC689} Microsoft Encarta Reference Library 2005 --> MsiExec.exe /I{05410141-64A6-4248-A026-9745C1E9E159} Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9} Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSf22.inf, Uninstall Mozilla Firefox (1.0.1) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.0.1 (en-GB)" MP3Producer --> C:\WINDOWS\MP3Producer Uninstaller.exe Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5} PIMS & File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F340FE0-E93E-4A53-B5E4-19ED2648FCAE}\Setup.exe" -l0x9 PL-2303 USB-to-Serial --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{50974B3A-B8D5-4C7B-9D23-ED0EC9517B45}\Setup.exe" -l0x9 PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall PowerISO --> "C:\Program Files\PowerISO\uninstall.exe" QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A} Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE Registry Mechanic --> "C:\Program Files\Registry Mechanic\unins000.exe" Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log SopCast 1.1.1 --> C:\Program Files\SopCast\uninst.exe SpeechRedist --> MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE} Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe" SubSync --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\SubSync\ST6UNST.LOG" Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289} TVersity Codec Pack 1.1 --> C:\Program Files\TVersity Codec Pack\uninst.exe TVersity Media Server 0.9.11.4 beta --> C:\Program Files\TVersity\Media Server\uninst.exe VideoLAN VLC media player 0.8.6a --> C:\Program Files\VideoLAN\VLC\uninstall.exe WinAce Archiver --> C:\Program Files\WinAce\SXUNINST.EXE C:\Program Files\WinAce\SXUNINST.INI Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe" Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52} Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F} Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D} WinPcap 3.1 beta3 --> "C:\Program Files\WinPcap\Uninstall.exe" "C:\Program Files\WinPcap\install.log" WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe WINXP SP2 TCP Fix --> C:\PROGRA~1\WINXPS~1\UNWISE.EXE C:\PROGRA~1\WINXPS~1\INSTALL.LOG Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe" Zoom Player (remove only) --> "C:\Program Files\Zoom Player\uninstall.exe" -- Application Event Log ------------------------------------------------------- Event Record #/Type1803 / Error Event Submitted/Written: 06/28/2008 00:31:07 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application nloz734.exe, version 0.0.0.0, faulting module nloz734.exe, version 0.0.0.0, fault address 0x000010b3. Processing media-specific event for [nloz734.exe!ws!] Event Record #/Type1790 / Error Event Submitted/Written: 06/27/2008 11:42:34 AM Event ID/Source: 8 / crypt32 Event Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired. Event Record #/Type1785 / Error Event Submitted/Written: 06/27/2008 11:17:39 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application nloz723.exe, version 0.0.0.0, faulting module nloz723.exe, version 0.0.0.0, fault address 0x000010b3. Processing media-specific event for [nloz723.exe!ws!] Event Record #/Type1781 / Error Event Submitted/Written: 06/27/2008 01:44:33 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application nloz749.exe, version 0.0.0.0, faulting module nloz749.exe, version 0.0.0.0, fault address 0x00001777. Processing media-specific event for [nloz749.exe!ws!] Event Record #/Type1774 / Error Event Submitted/Written: 06/27/2008 00:44:10 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2604, fault address 0x0013b4ef. Processing media-specific event for [iexplore.exe!ws!] -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type61305 / Error Event Submitted/Written: 06/30/2008 01:00:02 AM Event ID/Source: 7901 / Schedule Event Description: The At74.job command failed to start due to the following error: %%2147942402 Event Record #/Type61304 / Error Event Submitted/Written: 06/30/2008 01:00:01 AM Event ID/Source: 7901 / Schedule Event Description: The At50.job command failed to start due to the following error: %%2147942405 Event Record #/Type61303 / Error Event Submitted/Written: 06/30/2008 01:00:01 AM Event ID/Source: 7901 / Schedule Event Description: The At26.job command failed to start due to the following error: %%2147942405 Event Record #/Type61302 / Error Event Submitted/Written: 06/30/2008 00:00:00 AM Event ID/Source: 7901 / Schedule Event Description: The At73.job command failed to start due to the following error: %%2147942402 Event Record #/Type61301 / Error Event Submitted/Written: 06/30/2008 00:00:00 AM Event ID/Source: 7901 / Schedule Event Description: The At49.job command failed to start due to the following error: %%2147942405 -- End of Deckard's System Scanner: finished at 2008-06-30 01:42:29 ------------ ================================================================================ ====================== -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Sunday, June 29, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, June 29, 2008 12:41:46 Records in database: 896951 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - Critical Areas: C:\Documents and Settings\All Users\Start Menu\Programs\Startup C:\Documents and Settings\S. Rahman\Start Menu\Programs\Startup C:\Program Files C:\WINDOWS Scan statistics: Files scanned: 69852 Threat name: 12 Infected objects: 30 Suspicious objects: 0 Duration of the scan: 01:09:45 File name / Threat name / Threats count C:\WINDOWS\system32\LMIinit.dll/C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.d 1 svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan.Win32.Agent.ady 1 C:\WINDOWS\system32\sysrest32.exe/C:\WINDOWS\system32\sysrest32.exe Infected: Trojan.Win32.Pakes.czg 1 C:\Program Files\LogMeIn\x86\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.d 1 C:\WINDOWS\system32\k11944629414.exe Infected: Trojan-PSW.Win32.OnLineGames.sle 1 C:\WINDOWS\system32\k11944629425.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1 C:\WINDOWS\system32\k11944633234.exe Infected: Trojan-PSW.Win32.OnLineGames.sle 1 C:\WINDOWS\system32\k11944635101.exe Infected: Trojan-PSW.Win32.OnLineGames.thh 1 C:\WINDOWS\system32\k11944635144.exe Infected: Trojan-PSW.Win32.OnLineGames.sle 1 C:\WINDOWS\system32\k11944637076.exe Infected: Trojan-PSW.Win32.OnLineGames.hcq 1 C:\WINDOWS\system32\k119446531110.exe Infected: Trojan-PSW.Win32.OnLineGames.hck 1 C:\WINDOWS\system32\k11944727436.exe Infected: Trojan-PSW.Win32.OnLineGames.hcq 1 C:\WINDOWS\system32\k11944763066.exe Infected: Trojan-PSW.Win32.OnLineGames.hcq 1 C:\WINDOWS\system32\k11944766975.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1 C:\WINDOWS\system32\k11944768895.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1 C:\WINDOWS\system32\k11944770805.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1 C:\WINDOWS\system32\k11944772725.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1 C:\WINDOWS\system32\k11944774635.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1 C:\WINDOWS\system32\k11944776555.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1 C:\WINDOWS\system32\k11944778475.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1 C:\WINDOWS\system32\k11944786265.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1 C:\WINDOWS\system32\k11944792054.exe Infected: Trojan-PSW.Win32.OnLineGames.sle 1 C:\WINDOWS\system32\k11944792065.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1 C:\WINDOWS\system32\k11944797885.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1 C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.d 1 C:\WINDOWS\system32\nloz534.exe Infected: Trojan-Downloader.Win32.Cntr.by 1 C:\WINDOWS\system32\nloz749.exe Infected: Trojan-Downloader.Win32.Agent.ufv 1 C:\WINDOWS\system32\pphctp8j0eg2l.exe Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1 C:\WINDOWS\system32\sysrest32.exe Infected: Trojan.Win32.Pakes.czg 1 C:\WINDOWS\xhelper.dll Infected: not-a-virus:AdWare.Win32.Agent.db 1 The selected area was scanned. ================================================================================ ====================== |
 |
 
|
|
Jun 30 2008, 02:20 AM
Post
#2
|
|
 I will eat your Malware Group: HJT Team Coach Posts: 2,345 Joined: 14-November 04 From: Ontario Member No.: 5,056 |
Hi,
Thanks for the logs. That went quite well.  You have quite the mess. Including email spam bots, password stealers and a bunch of other downloaders and so on. If you do anything sensitive on the PC (like banking, online shopping and such) ya'll need to have your passwords changed from a clean machine. This goes for all users of this machine. Best to contact your financial institutions if you do online banking or use credit cards so they can keep an eye on your accounts. Online game sites as well. (many of these password stealers are targeted at stealing accounts from games like WoW) Reason you cannot fix your background is the malware set restrictions to disable showing those settings. That too will be fixed shortly. Reason your security software keeps detecting more and more stuff is because you have several trojans downloading it all & re-installing it. Anyway -- let's get on with the fixing. We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Please continue as follows:
When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt New HijackThis log. --Do not mouseclick combofix's window while it's running. That may cause it to stall --ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. --Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell me. --Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity. Let me know how machine is running please. Thanks
-------------------- I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing. And to drink...a nice tall glass of adware! For dessert; can I have a bowl of the freshest worms you have please?. Never Give Up! If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware  |
|
|
|
|
Jun 30 2008, 09:03 AM
Post
#3
|
|
|
Member Group: Members Posts: 16 Joined: 26-May 07 Member No.: 133,096 |
Hi Blender Here are the folloing Combo and HJT logs ComboFix 08-06-20.4 - S. Rahman 2008-06-30 14:41:51.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.159 [GMT 1:00] Running from: C:\Documents and Settings\S. Rahman\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\S. Rahman\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\msettings.ini C:\WINDOWS\system32\Cache C:\WINDOWS\system32\llk1194475308.h C:\WINDOWS\system32\llk1194483321.h C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\svchost.t__ C:\WINDOWS\system32\sysrest.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ACTIVE_HELPASSISTANTS -------\Legacy_GOOGLE_ONLINE_SERVICES -------\Service_Active HelpAssistants -------\Service_Google Online Services -------\Service_sysrest.sys ((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 ))))))))))))))))))))))))))))))) . 2008-06-29 23:44 . 2008-06-29 23:44 <DIR> d-------- C:\fsaua.data 2008-06-29 22:23 . 2008-06-29 22:23 <DIR> d---s---- C:\WINDOWS\system32\config\systemprofile\UserData 2008-06-29 19:04 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-29 19:03 . 2008-06-29 19:03 <DIR> d-------- C:\Program Files\Common Files\Java 2008-06-29 14:23 . 2008-06-29 14:23 <DIR> d-------- C:\Deckard 2008-06-28 15:17 . 2008-06-28 15:17 <DIR> d-------- C:\Program Files\microsoft frontpage 2008-06-28 13:06 . 2008-06-28 13:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-06-28 13:05 . 2008-06-28 13:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\rhcpp8j0eg2l 2008-06-27 11:42 . 2008-06-27 11:44 48,810 --a------ C:\WINDOWS\mssecurity.config 2008-06-27 11:18 . 2008-06-27 11:18 <DIR> d-------- C:\Documents and Settings\S. Rahman\Application Data\rhcpp8j0eg2l 2008-06-27 01:39 . 2008-06-27 01:39 17,920 --a------ C:\WINDOWS\system32\nloz760.exe 2008-06-27 01:37 . 2008-06-27 01:37 109,056 --a------ C:\WINDOWS\system32\lphctp8j0eg2l.exe 2008-06-27 01:37 . 2008-06-30 14:47 90,838 --a------ C:\WINDOWS\system32\phctp8j0eg2l.bmp 2008-06-27 01:37 . 2008-06-30 14:47 60,928 --a------ C:\WINDOWS\system32\blphctp8j0eg2l.scr 2008-06-27 01:37 . 2008-06-28 12:20 453 --a------ C:\WINDOWS\system32\xghbnx.tmp 2008-06-09 23:41 . 2008-06-09 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-03 17:56 . 2008-06-08 02:02 714 --a------ C:\WINDOWS\system\akstart.lnk 2008-05-22 01:39 . 2008-06-08 15:08 <DIR> d-------- C:\Program Files\Bonjour 2008-05-19 19:11 . 2007-04-24 17:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll 2008-05-19 19:00 . 2008-05-19 19:11 <DIR> d-------- C:\Program Files\TVersity Codec Pack 2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe 2008-05-13 22:50 . 2008-05-13 22:50 <DIR> d-------- C:\Program Files\AC3Filter 2008-05-13 22:50 . 2004-05-25 16:06 417,792 --a------ C:\WINDOWS\system32\ac3filter.cpl 2008-05-11 18:08 . 2008-05-11 19:41 67 --a------ C:\WINDOWS\AVIConverter.INI . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-30 13:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki 2008-06-29 18:04 --------- d-----w C:\Program Files\Java 2008-06-28 15:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7 2008-06-28 14:17 --------- d-----w C:\Program Files\Kontiki 2008-06-28 12:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-26 07:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7 2008-06-26 07:16 --------- d-----w C:\Program Files\eMule 2008-06-22 22:17 --------- d-----w C:\Documents and Settings\S. Rahman\Application Data\uTorrent 2008-06-09 22:42 --------- d-----w C:\Program Files\Lavasoft 2008-06-09 22:42 --------- d-----w C:\Documents and Settings\S. Rahman\Application Data\Lavasoft 2008-06-09 22:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-08 21:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-08 14:09 --------- d-----w C:\Documents and Settings\S. Rahman\Application Data\AVG7 2008-06-06 14:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems 2008-05-22 22:00 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-17 00:30 --------- d-----w C:\Documents and Settings\S. Rahman\Application Data\Xfire 2008-05-16 20:16 --------- d-s---w C:\Program Files\Xfire 2008-05-13 00:24 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-05-11 13:47 --------- d-----w C:\Documents and Settings\S. Rahman\Application Data\SopCast 2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-03-31 00:46 3,416 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP 2006-03-07 01:35 1,027 ----a-w C:\Documents and Settings\All Users\Application Data\wc.dat 2007-05-24 15:24 8 --sh--r C:\WINDOWS\system32\2E9B37FAE7.dll . ------- Sigcheck ------- 2004-08-08 11:14 359040 7b11118b078b88f87183fe69eda43137 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys 2004-08-08 11:14 359040 7b11118b078b88f87183fe69eda43137 C:\WINDOWS\system32\dllcache\tcpip.sys 2004-08-08 11:14 359040 7b11118b078b88f87183fe69eda43137 C:\WINDOWS\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 15:09 68856] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2003-02-10 08:59 47104 C:\WINDOWS\SOUNDMAN.EXE] "IconLock"="C:\Program Files\IconLock\ICONLOCK.EXE" [1999-08-29 09:01 28672] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 09:56 579584] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 20:40 2577632] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-05-12 00:34 6729728] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624] "lphctp8j0eg2l"="C:\WINDOWS\system32\lphctp8j0eg2l.exe" [2008-06-27 01:37 109056] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 13:01 219136] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 15:09 68856] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispBackgroundPage"= 1 (0x1) "NoDispScrSavPage"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "NoDispScrSavPage"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3acm"= L3codecp.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pru58.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk] backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-02-16 23:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI] --a------ 2007-04-17 14:03 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2005-05-12 00:34 6729728 C:\WINDOWS\system32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2005-05-12 00:34 1519616 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2008-03-15 00:50 233472 C:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "C:\\Program Files\\uTorrent\\utorrent.exe"= "C:\\Documents and Settings\\Guest\\My Documents\\My Music\\realplay.exe"= "C:\\Program Files\\Kontiki\\KService.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "20632:TCP"= 20632:TCP:BitComet 20632 TCP "20632:UDP"= 20632:UDP:BitComet 20632 UDP R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00] R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55] R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-03-28 19:55] R3 PxHelper;PxHelper;C:\WINDOWS\system32\drivers\PxHelper.sys [2001-09-11 23:23] S0 Pru58;Pru58;C:\WINDOWS\system32\Drivers\Pru58.sys [] S3 tbntnd5;USB Cable Modem NDIS driver;C:\WINDOWS\system32\DRIVERS\tbntnd5.sys [2001-10-16 07:40] S3 tbntunic;USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\tbntunic.sys [2001-10-16 03:40] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50a2a32e-4889-11da-a518-806d6172696f}] \Shell\AutoRun\command - G:\launcher.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655278ae-49fa-11da-a8c1-806d6172696f}] \Shell\AutoRun\command - G:\launcher.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5136ef0-ee80-11d9-a8e5-806d6172696f}] \Shell\AutoRun\command - G:\launcher.exe . Contents of the 'Scheduled Tasks' folder "2008-06-24 13:11:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-30 00:00:01 C:\WINDOWS\Tasks\At26.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 01:00:00 C:\WINDOWS\Tasks\At27.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-26 02:00:00 C:\WINDOWS\Tasks\At28.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-26 03:00:00 C:\WINDOWS\Tasks\At29.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-26 04:00:00 C:\WINDOWS\Tasks\At30.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-26 05:00:00 C:\WINDOWS\Tasks\At31.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-26 06:00:00 C:\WINDOWS\Tasks\At32.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-26 07:00:00 C:\WINDOWS\Tasks\At33.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-26 08:00:00 C:\WINDOWS\Tasks\At34.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-26 09:00:00 C:\WINDOWS\Tasks\At35.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-26 10:00:00 C:\WINDOWS\Tasks\At36.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-26 11:00:00 C:\WINDOWS\Tasks\At37.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 12:00:00 C:\WINDOWS\Tasks\At38.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 13:00:00 C:\WINDOWS\Tasks\At39.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 14:00:00 C:\WINDOWS\Tasks\At40.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 15:00:00 C:\WINDOWS\Tasks\At41.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 16:00:00 C:\WINDOWS\Tasks\At42.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 17:00:00 C:\WINDOWS\Tasks\At43.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-26 18:00:00 C:\WINDOWS\Tasks\At44.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 19:00:00 C:\WINDOWS\Tasks\At45.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 20:00:00 C:\WINDOWS\Tasks\At46.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 21:00:00 C:\WINDOWS\Tasks\At47.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 22:00:00 C:\WINDOWS\Tasks\At48.job" - C:\WINDOWS\system32\HXee5eNp.exe "2008-06-29 23:00:00 C:\WINDOWS\Tasks\At49.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-30 00:00:01 C:\WINDOWS\Tasks\At50.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 01:00:00 C:\WINDOWS\Tasks\At51.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-26 02:00:00 C:\WINDOWS\Tasks\At52.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-26 03:00:00 C:\WINDOWS\Tasks\At53.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-26 04:00:00 C:\WINDOWS\Tasks\At54.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-26 05:00:00 C:\WINDOWS\Tasks\At55.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-26 06:00:00 C:\WINDOWS\Tasks\At56.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-26 07:00:00 C:\WINDOWS\Tasks\At57.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-26 08:00:00 C:\WINDOWS\Tasks\At58.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-26 09:00:00 C:\WINDOWS\Tasks\At59.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-26 10:00:00 C:\WINDOWS\Tasks\At60.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-26 11:00:00 C:\WINDOWS\Tasks\At61.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 12:00:00 C:\WINDOWS\Tasks\At62.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 13:00:00 C:\WINDOWS\Tasks\At63.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 14:00:00 C:\WINDOWS\Tasks\At64.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 15:00:00 C:\WINDOWS\Tasks\At65.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 16:00:00 C:\WINDOWS\Tasks\At66.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 17:00:00 C:\WINDOWS\Tasks\At67.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-26 18:00:00 C:\WINDOWS\Tasks\At68.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 19:00:00 C:\WINDOWS\Tasks\At69.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 20:00:00 C:\WINDOWS\Tasks\At70.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 21:00:00 C:\WINDOWS\Tasks\At71.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 22:00:00 C:\WINDOWS\Tasks\At72.job" - C:\WINDOWS\system32\Fcyb2DUV.exe "2008-06-29 23:00:00 C:\WINDOWS\Tasks\At73.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-30 00:00:02 C:\WINDOWS\Tasks\At74.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-29 01:00:00 C:\WINDOWS\Tasks\At75.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-26 02:00:00 C:\WINDOWS\Tasks\At76.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-26 03:00:00 C:\WINDOWS\Tasks\At77.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-26 04:00:00 C:\WINDOWS\Tasks\At78.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-26 05:00:00 C:\WINDOWS\Tasks\At79.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-26 06:00:00 C:\WINDOWS\Tasks\At80.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-26 07:00:00 C:\WINDOWS\Tasks\At81.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-26 08:00:00 C:\WINDOWS\Tasks\At82.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-26 09:00:00 C:\WINDOWS\Tasks\At83.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-26 10:00:00 C:\WINDOWS\Tasks\At84.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-26 11:00:00 C:\WINDOWS\Tasks\At85.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-29 12:00:00 C:\WINDOWS\Tasks\At86.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-29 13:00:00 C:\WINDOWS\Tasks\At87.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-29 14:00:00 C:\WINDOWS\Tasks\At88.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-29 15:00:00 C:\WINDOWS\Tasks\At89.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-29 16:00:00 C:\WINDOWS\Tasks\At90.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-29 17:00:00 C:\WINDOWS\Tasks\At91.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-26 18:00:00 C:\WINDOWS\Tasks\At92.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-29 19:00:00 C:\WINDOWS\Tasks\At93.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-29 20:00:00 C:\WINDOWS\Tasks\At94.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-29 21:00:00 C:\WINDOWS\Tasks\At95.job" - C:\WINDOWS\system32\U4vFTnj3.exe "2008-06-29 22:00:00 C:\WINDOWS\Tasks\At96.job" - C:\WINDOWS\system32\U4vFTnj3.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-30 14:47:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant] "ImagePath"="" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Sygate\SPF\Smc.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\wscript.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Kontiki\KService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wdfmgr.exe . ********************************************************* |