Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Different Comp, Another Problem


  • This topic is locked This topic is locked
23 replies to this topic

#1 hibachi

hibachi

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 12 August 2007 - 10:19 PM

Please do not confuse this with topic with my other one. These are two different problems and I can wait until the first one is resolved if it must. I just wish to report this problem as soon as possible in attempt to fix it promptly.

While working on my family's desktop, my laptop became infected with some soft of virus. Avast! continually claims that my "mhd.sys" is with infected with "Win32:Trojan-gen. {other}" Repair does nothing, Move to Chest does nothing. Delete does nothing. I've done boot-time scans, safe mode scans, and attempted to system restore, but nothing works. The virus warning comes up every time I reboot and everytime I attempt to open a folder such as My Documents, explorer.exe crashes and the warning comes up again.

Here is my HJT log. Please help me... again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:06 AM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Foxie Suite\StartFoxie.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com//0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iro.ragnarokonline.com/game/jobintro.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com//0seenus/saos01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Chronos] C:\Program Files\Chronos\Chronos.exe s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: SnapDetect.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O21 - SSODL: BurnWorld.Com BurnOn CD&DVD_is1 - {6BE0843F-286D-2AA1-5430-A9856A8E9627} - c:\program files\burnworld\burnoncddvd\windsitd32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\ass.bmp
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\gif\Dancing\1127984020177.gif
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\4sal-end.gif
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\Wallpaper\1120039494231.png

--
End of file - 10931 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 13 August 2007 - 06:38 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum hibachi :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT*
Do NOT run any other options until you are asked to do so!

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 13 August 2007 - 11:50 AM

Thank you Richie. Your help is greatly appreciated. I'm supposed to be recovering but instead I'm fueling all my energy into these computers :thumbsup:

Anyway, here is the ComboFix log:

ComboFix 07-08-13.3 - "owner" 2007-08-13 1:59:30.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\hosts
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_IPRIP


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-13 01:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-12 12:03 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-08-12 11:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-12 11:38 <DIR> d-------- C:\Program Files\vmntoolbar
2007-08-12 11:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab
2007-08-12 11:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-08-11 12:58 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\Popular Sites
2007-08-11 12:57 <DIR> d-------- C:\Program Files\Visicom Media
2007-08-11 12:57 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\vmntoolbar
2007-08-11 12:57 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\Dynamic
2007-08-10 22:16 5,600 --a------ C:\WINDOWS\SYSTEM\winaspi.dll
2007-08-10 22:16 4,672 --a------ C:\WINDOWS\SYSTEM\wowpost.exe
2007-08-10 20:59 <DIR> d-------- C:\Program Files\pike
2007-08-05 13:17 <DIR> d-------- C:\Program Files\TVersity
2007-08-05 13:16 60,273 --a------ C:\WINDOWS\SYSTEM32\pthreadGC2.dll
2007-08-05 13:16 10,752 --a------ C:\WINDOWS\SYSTEM32\ff_vfw.dll
2007-08-05 13:16 <DIR> d-------- C:\Program Files\ffdshow
2007-08-01 02:27 <DIR> d-------- C:\Program Files\MediaCoder
2007-07-31 23:42 2,951 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2007-07-31 23:40 507,768 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall.exe
2007-07-31 23:40 <DIR> d-------- C:\Program Files\Illustrate
2007-07-31 19:24 <DIR> d-------- C:\Program Files\FLAC
2007-07-31 11:56 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\NCH Swift Sound
2007-07-31 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Swift Sound
2007-07-31 11:55 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-07-31 11:55 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\NCH Swift Sound
2007-07-31 11:42 <DIR> d-------- C:\Program Files\Medieval Software
2007-07-29 22:22 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\ImgBurn
2007-07-29 22:07 <DIR> d-------- C:\Program Files\ImgBurn
2007-07-29 21:38 344,064 --a------ C:\WINDOWS\SYSTEM32\msvcr70.dll
2007-07-29 21:38 1,700,352 --a------ C:\WINDOWS\SYSTEM32\GdiPlus.dll
2007-07-29 21:38 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-07-29 18:04 <DIR> d-------- C:\Program Files\Allok AVI to DVD SVCD VCD Converter
2007-07-27 18:19 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\FoxieSpywareSwiftSweeper
2007-07-27 18:18 <DIR> d-------- C:\Program Files\Foxie Suite
2007-07-26 00:14 <DIR> d-------- C:\Program Files\Yahoo SiteBuilder
2007-07-25 23:59 <DIR> d-------- C:\Program Files\FreshWebmaster
2007-07-25 23:26 7,864,320 --a------ C:\DOCUME~1\owner\ntuser.dat
2007-07-25 23:26 1,310,720 --a------ C:\DOCUME~1\LOCALS~1.NTA\ntuser.dat
2007-07-25 23:26 <DIR> d-------- C:\Program Files\A.F.5 Rename your files 1.1
2007-07-25 13:56 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-07-25 13:55 <DIR> d-------- C:\Program Files\The Rosetta Stone
2007-07-24 23:29 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\WinRAR
2007-07-23 21:36 <DIR> d-------- C:\Program Files\ZC2.10
2007-07-23 02:10 <DIR> d-------- C:\Program Files\Moleskinsoft Clone Remover 1.9
2007-07-23 01:54 <DIR> d-------- C:\Program Files\PictureRelate
2007-07-22 22:46 6,688 --a------ C:\WINDOWS\SYSTEM32\Digita.sys
2007-07-22 22:46 49,152 --a------ C:\WINDOWS\SYSTEM32\TransportUSB.dll
2007-07-22 22:46 49,152 --a------ C:\WINDOWS\SYSTEM32\TransportSerial.dll
2007-07-22 22:46 45,568 --a------ C:\WINDOWS\SYSTEM32\DC210.dll
2007-07-22 22:46 43,520 --a------ C:\WINDOWS\SYSTEM32\ekfpixaudio.dll
2007-07-22 22:46 4,608 --a------ C:\WINDOWS\SYSTEM32\ekfpixguid.dll
2007-07-22 22:46 335,872 --a------ C:\WINDOWS\SYSTEM32\ldf252.dll
2007-07-22 22:46 32,768 --a------ C:\WINDOWS\SYSTEM32\F210.dll
2007-07-22 22:46 230,400 --a------ C:\WINDOWS\SYSTEM32\DC265.dll
2007-07-22 22:46 138,240 --a------ C:\WINDOWS\SYSTEM32\ekfpixexif.dll
2007-07-22 22:46 126,976 --a------ C:\WINDOWS\SYSTEM32\lwf214p.dll
2007-07-22 22:46 110,592 --a------ C:\WINDOWS\SYSTEM32\DC240.dll
2007-07-22 22:45 7,168 --a------ C:\WINDOWS\SYSTEM32\Jgme500.dll
2007-07-22 22:45 15,872 --a------ C:\WINDOWS\SYSTEM32\Jgpl500.dll
2007-07-22 22:45 144,896 --a------ C:\WINDOWS\SYSTEM32\Jgdw500.dll
2007-07-22 22:45 13,312 --a------ C:\WINDOWS\SYSTEM32\Jgst500.dll
2007-07-22 22:45 11,264 --a------ C:\WINDOWS\SYSTEM32\Jgid500.dll
2007-07-22 22:45 11,264 --a------ C:\WINDOWS\SYSTEM32\Jgar500.dll
2007-07-22 22:45 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\ACD Systems
2007-07-22 22:44 <DIR> d-------- C:\Program Files\ACD Systems
2007-07-22 22:43 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\ACDInTouch
2007-07-22 22:10 <DIR> d-------- C:\Program Files\eBay-Icon
2007-07-22 22:10 <DIR> d-------- C:\Program Files\AntiTwin
2007-07-22 17:20 <DIR> d-------- C:\Program Files\Educational Simulations
2007-07-19 23:00 <DIR> d-------- C:\Program Files\Power Tab Software
2007-07-19 14:47 <DIR> d-------- C:\Program Files\CCleaner
2007-07-19 14:14 <DIR> d-------- C:\Program Files\Dobermann
2007-07-18 23:49 <DIR> d-------- C:\Program Files\MAIET


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 01:55 18176 --a------ C:\WINDOWS\system32\drivers\mhd.sys
2007-07-27 17:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-10 22:26 --------- d-------- C:\DOCUME~1\owner\APPLIC~1\acccore
2007-07-10 22:24 --------- d-------- C:\Program Files\Common Files\AOL
2007-07-10 22:24 --------- d-------- C:\Program Files\AIM6
2007-07-09 12:42 --------- d-------- C:\DOCUME~1\owner\APPLIC~1\Hamachi
2007-07-09 12:41 25544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-07-08 22:18 5 --ahs---- C:\WINDOWS\system32\bddeeefa_s.dll
2007-07-08 22:18 --------- d-------- C:\Program Files\jv16 PowerTools 2006
2007-07-04 00:06 --------- d-------- C:\Program Files\Add Remove Pro
2007-07-02 17:55 --------- d-------- C:\Program Files\GALA-NET
2007-05-16 10:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll
2006-03-28 18:34 3047 --a------ C:\Program Files\secure32.html
2004-11-20 23:37 266 ---hs---- C:\Program Files\desktop.ini
2004-11-20 23:37 11079 ---h----- C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2004-08-04 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Chronos"="C:\Program Files\Chronos\Chronos.exe" [2006-07-22 18:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"StartFoxie"="C:\Program Files\Foxie Suite\StartFoxie.exe" [2005-11-09 09:23]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 15:22]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 19:34]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-12-13 18:27]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"P2kAutostart"="" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]

C:\Documents and Settings\owner\Start Menu\Programs\Startup\
OpenOffice.org 1.1.5.lnk - C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe [2005-07-12 01:10:00]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
EZ-DUB Finder.lnk - C:\Program Files\EZ-DUB\EZ-DUB.exe [2005-09-13 19:47:52]
SnapDetect.lnk - C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe [2006-09-25 20:11:25]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-18 14:49:31]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\owner\My Documents\My Pictures\4chan\ass.bmp
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\owner\My Documents\My Pictures\4chan\gif\Dancing\1127984020177.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\owner\My Documents\My Pictures\4chan\4sal-end.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= C:\Documents and Settings\owner\My Documents\My Pictures\Wallpaper\1120039494231.png
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BurnWorld.Com BurnOn CD&DVD_is1"= {6BE0843F-286D-2AA1-5430-A9856A8E9627} - c:\program files\burnworld\burnoncddvd\windsitd32.dll [2007-07-22 18:18 102543]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
C:\FRAPS\FRAPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1135391849\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKExe]
c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shell]
"C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarSkin]
C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tetriz3]
C:\WINDOWS\system32\tetriz3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\system32\tcpsvcs.exe
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
S1 rxp;rxp;\??\C:\WINDOWS\system32\drivers\rxp.sys
S3 firewall;firewall;\??\C:\Program Files\Foxie Suite\firewall.sys
S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\system32\tcpsvcs.exe
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 rtl8180;Belkin 11Mbps Wireless Notebook Network Card Driver;C:\WINDOWS\system32\DRIVERS\Bel6020.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{582edb60-0432-11dc-a21b-00038a000015}]
AutoRun\command- E:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2005-11-28 03:00:02 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job - C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 01:55:20
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = ???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 1:57:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-13 01:57

--- E O F ---


Here is the Smitfraud "Rapport":

SmitFraudFix v2.211

Scan done at 2:08:25.31, Mon 08/13/2007
Run from C:\Documents and Settings\owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Foxie Suite\StartFoxie.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\owner


C:\Documents and Settings\owner\Application Data


Start Menu


C:\DOCUME~1\owner\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\secure32.html FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Documents and Settings\\owner\\My Documents\\My Pictures\\4chan\\ass.bmp"
"SubscribedURL"="C:\\Documents and Settings\\owner\\My Documents\\My Pictures\\4chan\\ass.bmp"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Documents and Settings\\owner\\My Documents\\My Pictures\\4chan\\gif\\Dancing\\1127984020177.gif"
"SubscribedURL"="C:\\Documents and Settings\\owner\\My Documents\\My Pictures\\4chan\\gif\\Dancing\\1127984020177.gif"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="C:\\Documents and Settings\\owner\\My Documents\\My Pictures\\4chan\\4sal-end.gif"
"SubscribedURL"="C:\\Documents and Settings\\owner\\My Documents\\My Pictures\\4chan\\4sal-end.gif"
"FriendlyName"=""

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3295D042-E45D-42E2-B96B-E45669C060B0}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9A0D5E8E-A261-4813-8B56-9DE28682AF95}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3295D042-E45D-42E2-B96B-E45669C060B0}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9A0D5E8E-A261-4813-8B56-9DE28682AF95}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3295D042-E45D-42E2-B96B-E45669C060B0}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Scanning for wininet.dll infection


End

And here is the fresh HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:10, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Foxie Suite\StartFoxie.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\owner\Desktop\HiJackThis.exe
C:\Program Files\Foxie Suite\Firewall.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iro.ragnarokonline.com/game/jobintro.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com//0seenus/saos01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Chronos] C:\Program Files\Chronos\Chronos.exe s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: SnapDetect.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O21 - SSODL: BurnWorld.Com BurnOn CD&DVD_is1 - {6BE0843F-286D-2AA1-5430-A9856A8E9627} - c:\program files\burnworld\burnoncddvd\windsitd32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\ass.bmp
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\gif\Dancing\1127984020177.gif
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\4sal-end.gif
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\Wallpaper\1120039494231.png

--
End of file - 10524 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 13 August 2007 - 02:05 PM

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the Smitfraudfix report into your next reply.


Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\bddeeefa_s.dll

Folder::
C:\Program Files\vmntoolbar
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shell]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tetriz3]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 13 August 2007 - 02:25 PM

SMitFraud Rapport:

SmitFraudFix v2.211

Scan done at 1:57:08.32, Mon 08/13/2007
Run from C:\Documents and Settings\owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\Program Files\secure32.html Deleted

DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3295D042-E45D-42E2-B96B-E45669C060B0}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9A0D5E8E-A261-4813-8B56-9DE28682AF95}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3295D042-E45D-42E2-B96B-E45669C060B0}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9A0D5E8E-A261-4813-8B56-9DE28682AF95}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3295D042-E45D-42E2-B96B-E45669C060B0}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

ComboFix Log:

ComboFix 07-08-13.3 - "owner" 2007-08-13 1:58:44.2 - FAT32x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.296 [GMT -5:00]
Command switches used :: C:\Documents and Settings\owner\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\bddeeefa_s.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\owner\APPLIC~1\vmntoolbar
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\---Yahoo.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\0\rsscenter.xml
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\01net.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\1px_dark.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\1px_green.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\1px_white.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\a.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\amazon.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\an.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\arrow_down.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\arrow_red.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\arrow_red2.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\arrow_up.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\arrowB.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\arrowT.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\autofill.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\avstate.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\b.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\background2.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\bg_pub.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\bg_ttl.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\bgmeteo_results.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\bn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\btn_close.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\btn_minus.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\btn_moreforecast.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\c.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\canalblog.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\cn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\COMBOSEARCH.acs
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\d.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\dictionary2.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\dn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\DownloadCOM.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\dropdown.css
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\ErrorPageTemplate.css
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\f.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_argentine.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_australia.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_brazil.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_canada.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_china.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_france.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_germany.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_greece.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_hongkong.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_india.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_indonesia.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_italy.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_japan.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_korea.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_mexico.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_netherlands.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_spain.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_sweeden.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_taiwan.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_uk.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\flag_usa.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\fn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\g.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\gaming.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\gn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\gograph.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\graphred0.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\graphred0_5.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\graphred1.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\graphred1_5.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\graphred2.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\graphred2_5.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\graphred3.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\graphred3_5.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\graphred4.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\graphred4_5.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\graphred5.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_aquarius.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_aries.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_cancer.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_capricorn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_gemini.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_leo.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_libra.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_pisces.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_sagittarius.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_scorpio.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_taurus.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\h_virgo.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\help.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\hideremove.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\highlight.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\hn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\i.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\icotemp_placeholder.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\IEtab.zip
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\in.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\ipsearch.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\j.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\jn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\k.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\kn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\l.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\ln.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\loading.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\login.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\logo.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\n.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\New York_NY_weather.txt
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\new02.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\news.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\news.html
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\nn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\o.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\on.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\p.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\p_yahoo.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\p_yahoo_fr.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\pestscanimg.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\pixsy.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\pn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\popup_off.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\popup_on.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\popup_ona.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\q.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\qn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\r.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\relatedlinks.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\report.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\rn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\rss.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\rss.xsl
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\rss1.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\rsslib.js
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\rssmenu1_6.zip
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\s.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\security.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\Sinfo.txt
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\siteinfo.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\slider.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\sn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\spacer.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\stars-red1.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\stars-red2.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\stars-red3.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\stars-red4.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\stars-red5.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\storage.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\t.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\tab_icon.png
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\tabdata.js
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\tablib.js
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\tabwelcome_en.html
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\tabwelcome_fr.html
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\technorati.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\thes_search.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\Thumbs.db
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\tn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\tools.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\translate.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\u.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\un.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\utf8.js
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\v.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\vmlib.js
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\vmntoolbartb0500.cfg
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\vn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\w.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\web.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\wikipedia.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\wn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\x.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\xp_close_small.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\yahoo.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\yahoo_search.gif
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\YouTube.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\z.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\zn.bmp
C:\DOCUME~1\owner\APPLIC~1\vmntoolbar\zoom.bmp
C:\Program Files\vmntoolbar
C:\Program Files\vmntoolbar\install.ico
C:\Program Files\vmntoolbar\toolbar.ini
C:\Program Files\vmntoolbar\uninstall.exe
C:\Program Files\vmntoolbar\vmntoolbar.dll
C:\WINDOWS\system32\bddeeefa_s.dll


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-13 02:08 2,146 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-13 01:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 01:55 18,176 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mhd.sys
2007-08-12 12:03 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-08-12 11:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-12 11:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab
2007-08-12 11:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-08-11 12:58 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\Popular Sites
2007-08-11 12:57 <DIR> d-------- C:\Program Files\Visicom Media
2007-08-11 12:57 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\Dynamic
2007-08-10 22:16 5,600 --a------ C:\WINDOWS\SYSTEM\winaspi.dll
2007-08-10 22:16 4,672 --a------ C:\WINDOWS\SYSTEM\wowpost.exe
2007-08-10 20:59 <DIR> d-------- C:\Program Files\pike
2007-08-05 13:17 <DIR> d-------- C:\Program Files\TVersity
2007-08-05 13:16 60,273 --a------ C:\WINDOWS\SYSTEM32\pthreadGC2.dll
2007-08-05 13:16 10,752 --a------ C:\WINDOWS\SYSTEM32\ff_vfw.dll
2007-08-05 13:16 <DIR> d-------- C:\Program Files\ffdshow
2007-08-01 02:27 <DIR> d-------- C:\Program Files\MediaCoder
2007-07-31 23:42 2,951 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2007-07-31 23:40 507,768 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall.exe
2007-07-31 23:40 <DIR> d-------- C:\Program Files\Illustrate
2007-07-31 19:24 <DIR> d-------- C:\Program Files\FLAC
2007-07-31 11:56 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\NCH Swift Sound
2007-07-31 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Swift Sound
2007-07-31 11:55 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-07-31 11:55 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\NCH Swift Sound
2007-07-31 11:42 <DIR> d-------- C:\Program Files\Medieval Software
2007-07-29 22:22 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\ImgBurn
2007-07-29 22:07 <DIR> d-------- C:\Program Files\ImgBurn
2007-07-29 21:38 344,064 --a------ C:\WINDOWS\SYSTEM32\msvcr70.dll
2007-07-29 21:38 1,700,352 --a------ C:\WINDOWS\SYSTEM32\GdiPlus.dll
2007-07-29 21:38 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-07-29 18:04 <DIR> d-------- C:\Program Files\Allok AVI to DVD SVCD VCD Converter
2007-07-27 18:19 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\FoxieSpywareSwiftSweeper
2007-07-27 18:18 <DIR> d-------- C:\Program Files\Foxie Suite
2007-07-26 00:14 <DIR> d-------- C:\Program Files\Yahoo SiteBuilder
2007-07-25 23:59 <DIR> d-------- C:\Program Files\FreshWebmaster
2007-07-25 23:26 7,864,320 --a------ C:\DOCUME~1\owner\ntuser.dat
2007-07-25 23:26 1,310,720 --a------ C:\DOCUME~1\LOCALS~1.NTA\ntuser.dat
2007-07-25 23:26 <DIR> d-------- C:\Program Files\A.F.5 Rename your files 1.1
2007-07-25 13:56 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-07-25 13:55 <DIR> d-------- C:\Program Files\The Rosetta Stone
2007-07-24 23:29 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\WinRAR
2007-07-23 21:36 <DIR> d-------- C:\Program Files\ZC2.10
2007-07-23 02:10 <DIR> d-------- C:\Program Files\Moleskinsoft Clone Remover 1.9
2007-07-23 01:54 <DIR> d-------- C:\Program Files\PictureRelate
2007-07-22 22:46 6,688 --a------ C:\WINDOWS\SYSTEM32\Digita.sys
2007-07-22 22:46 49,152 --a------ C:\WINDOWS\SYSTEM32\TransportUSB.dll
2007-07-22 22:46 49,152 --a------ C:\WINDOWS\SYSTEM32\TransportSerial.dll
2007-07-22 22:46 45,568 --a------ C:\WINDOWS\SYSTEM32\DC210.dll
2007-07-22 22:46 43,520 --a------ C:\WINDOWS\SYSTEM32\ekfpixaudio.dll
2007-07-22 22:46 4,608 --a------ C:\WINDOWS\SYSTEM32\ekfpixguid.dll
2007-07-22 22:46 335,872 --a------ C:\WINDOWS\SYSTEM32\ldf252.dll
2007-07-22 22:46 32,768 --a------ C:\WINDOWS\SYSTEM32\F210.dll
2007-07-22 22:46 230,400 --a------ C:\WINDOWS\SYSTEM32\DC265.dll
2007-07-22 22:46 138,240 --a------ C:\WINDOWS\SYSTEM32\ekfpixexif.dll
2007-07-22 22:46 126,976 --a------ C:\WINDOWS\SYSTEM32\lwf214p.dll
2007-07-22 22:46 110,592 --a------ C:\WINDOWS\SYSTEM32\DC240.dll
2007-07-22 22:45 7,168 --a------ C:\WINDOWS\SYSTEM32\Jgme500.dll
2007-07-22 22:45 15,872 --a------ C:\WINDOWS\SYSTEM32\Jgpl500.dll
2007-07-22 22:45 144,896 --a------ C:\WINDOWS\SYSTEM32\Jgdw500.dll
2007-07-22 22:45 13,312 --a------ C:\WINDOWS\SYSTEM32\Jgst500.dll
2007-07-22 22:45 11,264 --a------ C:\WINDOWS\SYSTEM32\Jgid500.dll
2007-07-22 22:45 11,264 --a------ C:\WINDOWS\SYSTEM32\Jgar500.dll
2007-07-22 22:45 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\ACD Systems
2007-07-22 22:44 <DIR> d-------- C:\Program Files\ACD Systems
2007-07-22 22:43 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\ACDInTouch
2007-07-22 22:10 <DIR> d-------- C:\Program Files\eBay-Icon
2007-07-22 22:10 <DIR> d-------- C:\Program Files\AntiTwin
2007-07-22 17:20 <DIR> d-------- C:\Program Files\Educational Simulations
2007-07-19 23:00 <DIR> d-------- C:\Program Files\Power Tab Software
2007-07-19 14:47 <DIR> d-------- C:\Program Files\CCleaner
2007-07-19 14:14 <DIR> d-------- C:\Program Files\Dobermann
2007-07-18 23:49 <DIR> d-------- C:\Program Files\MAIET


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-27 17:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-10 22:26 --------- d-------- C:\DOCUME~1\owner\APPLIC~1\acccore
2007-07-10 22:24 --------- d-------- C:\Program Files\Common Files\AOL
2007-07-10 22:24 --------- d-------- C:\Program Files\AIM6
2007-07-09 12:42 --------- d-------- C:\DOCUME~1\owner\APPLIC~1\Hamachi
2007-07-09 12:41 25544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-07-08 22:18 --------- d-------- C:\Program Files\jv16 PowerTools 2006
2007-07-04 00:06 --------- d-------- C:\Program Files\Add Remove Pro
2007-07-02 17:55 --------- d-------- C:\Program Files\GALA-NET
2007-05-16 10:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll
2004-11-20 23:37 266 ---hs---- C:\Program Files\desktop.ini
2004-11-20 23:37 11079 ---h----- C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2004-08-04 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Chronos"="C:\Program Files\Chronos\Chronos.exe" [2006-07-22 18:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"StartFoxie"="C:\Program Files\Foxie Suite\StartFoxie.exe" [2005-11-09 09:23]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 15:22]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 19:34]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-12-13 18:27]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"P2kAutostart"="" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]

C:\Documents and Settings\owner\Start Menu\Programs\Startup\
OpenOffice.org 1.1.5.lnk - C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe [2005-07-12 01:10:00]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
EZ-DUB Finder.lnk - C:\Program Files\EZ-DUB\EZ-DUB.exe [2005-09-13 19:47:52]
SnapDetect.lnk - C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe [2006-09-25 20:11:25]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-18 14:49:31]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\owner\My Documents\My Pictures\4chan\4sal-end.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= C:\Documents and Settings\owner\My Documents\My Pictures\Wallpaper\1120039494231.png
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BurnWorld.Com BurnOn CD&DVD_is1"= {6BE0843F-286D-2AA1-5430-A9856A8E9627} - c:\program files\burnworld\burnoncddvd\windsitd32.dll [2007-07-22 18:18 102543]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
C:\FRAPS\FRAPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1135391849\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKExe]
c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarSkin]
C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\system32\tcpsvcs.exe
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
S1 rxp;rxp;\??\C:\WINDOWS\system32\drivers\rxp.sys
S3 AFW;AFW;\??\C:\WINDOWS\system32\drivers\mhd.sys
S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\system32\tcpsvcs.exe
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 rtl8180;Belkin 11Mbps Wireless Notebook Network Card Driver;C:\WINDOWS\system32\DRIVERS\Bel6020.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{582edb60-0432-11dc-a21b-00038a000015}]
AutoRun\command- E:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2005-11-28 03:00:02 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job - C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 01:56:36
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = ???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 1:59:45 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-13 01:59
C:\ComboFix2.txt ... 2007-08-13 01:57

--- E O F ---

Latest HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:04, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Foxie Suite\StartFoxie.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Foxie Suite\Firewall.exe
C:\Documents and Settings\owner\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Chronos] C:\Program Files\Chronos\Chronos.exe s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: SnapDetect.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O21 - SSODL: BurnWorld.Com BurnOn CD&DVD_is1 - {6BE0843F-286D-2AA1-5430-A9856A8E9627} - c:\program files\burnworld\burnoncddvd\windsitd32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\4sal-end.gif
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\Wallpaper\1120039494231.png

--
End of file - 9900 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 14 August 2007 - 01:41 PM

You have Mcafee and Avast4 installed.
Not a good idea to have more than one antivirus program installed on your computer.
Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other.
You should uninstall one or the other as soon as possible,then restart your pc.

---------------------------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

--------------------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#7 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 14 August 2007 - 04:48 PM

My PC's status is more of a mixed bag now. I did everything you told me to do but during the processes some strange things happened, though everything seems to be running at its normal speeds. The only extra slow down I've noticed is now start-up takes about twice as long as it used to, and the mhd.sys infection window pops up only during that time. I can run folders now with out them crashing or the infection window coming up though. While I was clicking around the internet and obtaining the SUPERAntiSpyware Program, I got a message that Internet Explorer had encountered an error and had to end. This did not affect me, however, because I wasn't actually using Internet Explorer. That was not the first time it happened too, as the error message came up last night while I was just using Fire Fox. The last thing to report is that while SUPERAntiSpyware was running its search through the System Restore files, Avast! popped up twice to tell me that two files were infected. I was going to clear out my System Restore but I thought it would be wiser to wait and see what you had to say.

Anyway, here is the SAS Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/14/2007 at 03:17 PM

Application Version : 3.9.1008

Core Rules Database Version : 3285
Trace Rules Database Version: 1296

Scan type : Complete Scan
Total Scan Time : 00:09:41

Memory items scanned : 550
Memory threats detected : 0
Registry items scanned : 5335
Registry threats detected : 0
File items scanned : 39612
File threats detected : 49

Adware.Tracking Cookie
C:\Documents and Settings\owner\Cookies\owner@www.somethingsexyplanet[1].txt
C:\Documents and Settings\owner\Cookies\owner@pornotube[1].txt
C:\Documents and Settings\owner\Cookies\owner@a.websponsors[1].txt
C:\Documents and Settings\owner\Cookies\owner@ads.habbohotel[2].txt
C:\Documents and Settings\owner\Cookies\owner@27428686[2].txt
C:\Documents and Settings\owner\Cookies\owner@server.cpmstar[1].txt
C:\Documents and Settings\owner\Cookies\owner@76162232[1].txt
C:\Documents and Settings\owner\Cookies\owner@html[1].txt
C:\Documents and Settings\owner\Cookies\owner@dist.belnk[3].txt
C:\Documents and Settings\owner\Cookies\owner@player[2].txt
C:\Documents and Settings\owner\Cookies\owner@track.websitetrafficreport[2].txt
C:\Documents and Settings\owner\Cookies\owner@milfpornpass[1].txt
C:\Documents and Settings\owner\Cookies\owner@hentaicounter[1].txt
C:\Documents and Settings\owner\Cookies\owner@ads.newgrounds[2].txt
C:\Documents and Settings\owner\Cookies\owner@sales.liveperson[2].txt
C:\Documents and Settings\owner\Cookies\owner@1072697210[1].txt
C:\Documents and Settings\owner\Cookies\owner@sexmedo[2].txt
C:\Documents and Settings\owner\Cookies\owner@clicksor[1].txt
C:\Documents and Settings\owner\Cookies\owner@ad2.habbohotel[2].txt
C:\Documents and Settings\owner\Cookies\owner@interclick[2].txt
C:\Documents and Settings\owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\owner\Cookies\owner@www.burstbeacon[2].txt
C:\Documents and Settings\owner\Cookies\owner@www.pornotube[2].txt
C:\Documents and Settings\owner\Cookies\owner@counter1.fc2[1].txt
C:\Documents and Settings\owner\Cookies\owner@toplist[1].txt
C:\Documents and Settings\owner\Cookies\owner@html[2].txt
C:\Documents and Settings\owner\Cookies\owner@clicks.emarketmakers[1].txt
C:\Documents and Settings\owner\Cookies\owner@www.jointheporn[1].txt
C:\Documents and Settings\owner\Cookies\owner@belnk[1].txt
C:\Documents and Settings\owner\Cookies\owner@burstnet[1].txt
C:\Documents and Settings\owner\Cookies\owner@ad[4].txt
C:\Documents and Settings\owner\Cookies\owner@st[2].txt
C:\Documents and Settings\owner\Cookies\owner@www.teens-photos[2].txt
C:\Documents and Settings\owner\Cookies\owner@adknowledge[2].txt
C:\Documents and Settings\owner\Cookies\owner@www.bravoteens[1].txt
C:\Documents and Settings\owner\Cookies\owner@atwola[4].txt
C:\Documents and Settings\owner\Cookies\owner@partner2profit[2].txt
C:\Documents and Settings\owner\Cookies\owner@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\owner\Cookies\owner@ads.habbogroup[1].txt
C:\Documents and Settings\owner\Cookies\owner@somethingsexyplanet[2].txt
C:\Documents and Settings\owner\Cookies\owner@adprofile[2].txt
C:\Documents and Settings\owner\Cookies\owner@xiti[1].txt
C:\Documents and Settings\owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\owner\Cookies\owner@ar.atwola[2].txt
C:\Documents and Settings\owner\Cookies\owner@ar.atwola[3].txt
C:\Documents and Settings\owner\Cookies\owner@atwola[3].txt
C:\Documents and Settings\owner\Cookies\owner@dist.belnk[2].txt
C:\Documents and Settings\owner\Cookies\owner@atwola[2].txt

Unclassified.Unknown Origin/System
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\TROJAN~1.EXE


And here is the latest HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:05 PM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Foxie Suite\StartFoxie.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Foxie Suite\Firewall.exe
C:\Documents and Settings\owner\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Chronos] C:\Program Files\Chronos\Chronos.exe s
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: SnapDetect.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: BurnWorld.Com BurnOn CD&DVD_is1 - {6BE0843F-286D-2AA1-5430-A9856A8E9627} - c:\program files\burnworld\burnoncddvd\windsitd32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\4sal-end.gif
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\Wallpaper\1120039494231.png

--
End of file - 8804 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 15 August 2007 - 09:16 AM

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

----------------------------------------------------------

Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.

Post the Activescan report and a new Hijackthis log.
Let me know whats happening now.
Posted Image
Posted Image

#9 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 15 August 2007 - 01:59 PM

Start up still takes an abysmally long time, but the mhd.sys infection window no longer appears. Everything else seems to be running normal. The Internet Explorer Desktop Shortcut seems to have reappeared despite that I removed it myself a long time ago, but now the icon looks like the generic unreckognized file extension icon. Other than that, everything seems fine. I had to disable avast! while Activescan was on, since they conflicted, but I didn't connect to any websites during that time besides this one.

Here's ActiveScan's Log:

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NIRCMD.EXE
Virus:Generic Malware Disinfected C:\Program Files\JFK Reloaded\JFK Reloaded v1.0.1 patch.exe
Adware:Adware/NSISMedia Not disinfected C:\Program Files\Visicom Media\AceFTP 3 Freeware\vmntoolbar\vmntoolbarsetup1.6_en.exe[\NSIS.Library.RegTool.v2.+.exe]
Adware:Adware/TrustIn Not disinfected C:\Documents and Settings\OWNER\My Documents\hja8Tqcw20.rar[crack.exe]
Adware:Adware/NSISMedia Not disinfected C:\Documents and Settings\OWNER\My Documents\aceftp3free.exe[vmntoolbarsetup1.6_en.exe][\NSIS.Library.RegTool.v2.+.exe]
Adware:Adware/NSISMedia Not disinfected C:\Documents and Settings\OWNER\My Documents\aceftp3free.exe[\NSIS.Library.RegTool.v2..exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\OWNER\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\OWNER\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\OWNER\Desktop\SmitfraudFix\RESTART.EXE
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\OWNER\Cookies\owner@atwola[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\OWNER\Cookies\owner@target[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\OWNER\Cookies\owner@ct.360i[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.statcounter.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.com.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.casalemedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.adrevolver.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.atwola.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.bravenet.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.zedo.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[www.burstbeacon.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.clickbank.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.serving-sys.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\a53x6d47.default\COOKIES.TXT[.xiti.com/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\count.jar-6840731f-1175d138.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\count.jar-6840731f-1175d138.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\count.jar-6840731f-1175d138.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\count.jar-6840731f-1175d138.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\CACHE\6.0\5\11867d05-52dd7bf5[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\CACHE\6.0\5\11867d05-52dd7bf5[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\CACHE\6.0\5\11867d05-52dd7bf5[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\CACHE\6.0\5\11867d05-52dd7bf5[Beyond.class]


And here is the newest HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:06 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Foxie Suite\StartFoxie.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\SYSTEM32\mspaint.exe
C:\WINDOWS\SYSTEM32\mspaint.exe
C:\WINDOWS\SYSTEM32\mspaint.exe
C:\WINDOWS\SYSTEM32\mspaint.exe
C:\WINDOWS\system32\mspaint.exe
C:\Documents and Settings\owner\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Chronos] C:\Program Files\Chronos\Chronos.exe s
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: SnapDetect.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: BurnWorld.Com BurnOn CD&DVD_is1 - {6BE0843F-286D-2AA1-5430-A9856A8E9627} - c:\program files\burnworld\burnoncddvd\windsitd32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\4sal-end.gif
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\Wallpaper\1120039494231.png

--
End of file - 9052 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 15 August 2007 - 02:51 PM

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.

Now run AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

1) Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

2) Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done,then restart your pc.

Also post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#11 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 15 August 2007 - 08:52 PM

Start up is getting faster, though it's still going slower than normal, but I think that might be because there is more stuff going now, AVG and SuperAnti. Also, AVG would not allow me to save the report, it was greyed out. However, I copied down everything that was quarentined and all the cookies that were deleted.
This is everything AVG got:
35 Objects (179 Traces)

Hijacker.Agent.dw
Backdoor.Ifinst
Downloader.Small.ddp
Trojan.Proxcrak.A
Trohan.Qhosts.HE
Adware.Kazaap
TrackingCookie.Revsci
TrackingCookie.Webtrends
TrackingCookie.Msn
TrackingCookie.Nacrcholu
TrackingCookie.Live
TrackingCookie.Netflame
TrackingCookie.Paypal
TrackingCookie.Statcounter
TrackingCookie.Adrevolver
TrackingCookie.Cpvfeed
TrackingCookie.Clickhype
TrackingCookie.Com
TrackingCookie.Adbrite
TrackingCookie.Yieldmanager
TrackingCookie.Casalemedia
TrackingCookie.Realmedia
TrackingCookie.Imrworldwide
TrackingCookie.Tacoda
TrackingCookie.Zedo
TrackingCookie.Burstnet
TrackingCookie.Burstbeacon
TrackingCookie.Clickbank
TrackingCookie.Cqcounter
TrackingCookie.Pro-market
TrackingCookie.Serving-sys
TrackingCookie..Esomniture
TrackingCookie.Admarketplace
TrackingCookie.Sexcounter
TrackingCookie.Information

And the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:08 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Foxie Suite\StartFoxie.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\owner\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Chronos] C:\Program Files\Chronos\Chronos.exe s
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: SnapDetect.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: BurnWorld.Com BurnOn CD&DVD_is1 - {6BE0843F-286D-2AA1-5430-A9856A8E9627} - c:\program files\burnworld\burnoncddvd\windsitd32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\4sal-end.gif
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\Wallpaper\1120039494231.png

--
End of file - 9334 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 16 August 2007 - 08:10 AM

I've noticed AVG Anti-Spyware removed Backdoor.Ifinst
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

-----------------------------------------------
Uninstall/remove the following programs via Control Panel/Add or Remove Programs,then restart your pc.
AVG Anti-Spyware
SUPERAntiSpyware
Foxie Suite


Post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#13 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 16 August 2007 - 12:34 PM

Start up as returned to it's usual speed now, which is good. However, your request to remove Foxie Suite has left me without a firewall for now. As for the Backdoor virus, I don't believe this computer was ever used to pay bills, however it has been networked to one that does for about a month and a half. Should I run AVG on that one as well to be sure it isn't infected?

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:41 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\owner\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Chronos] C:\Program Files\Chronos\Chronos.exe s
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: SnapDetect.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O21 - SSODL: BurnWorld.Com BurnOn CD&DVD_is1 - {6BE0843F-286D-2AA1-5430-A9856A8E9627} - c:\program files\burnworld\burnoncddvd\windsitd32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\4sal-end.gif
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\Wallpaper\1120039494231.png

--
End of file - 7303 bytes

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 16 August 2007 - 12:51 PM

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
c:\program files\burnworld\burnoncddvd\windsitd32.dll
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
c:\program files\burnworld\burnoncddvd\windsitd32.dll
Then click on 'Send File'.
Post the results into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#15 hibachi

hibachi
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 16 August 2007 - 01:02 PM

File: windsitd32.dll
Status: INFECTED/MALWARE
MD5: fc0a2fe89d31d95a20ece85dfb24284d
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 16 Aug 2007 17:55:25 (GMT)
A-Squared Found nothing
AntiVir Found HEUR/Crypted
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Generic5.FUX
BitDefender Found Dropped:Backdoor.Pigeon.AXR
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found probably a variant of Win32/Genetik (probable variant)
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Embedded.Trojan.Click.2068 (probable variant)


HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:51 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\DOCUME~1\owner\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\owner\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\owner\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Chronos] C:\Program Files\Chronos\Chronos.exe s
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: SnapDetect.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O21 - SSODL: BurnWorld.Com BurnOn CD&DVD_is1 - {6BE0843F-286D-2AA1-5430-A9856A8E9627} - c:\program files\burnworld\burnoncddvd\windsitd32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\4chan\4sal-end.gif
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\owner\My Documents\My Pictures\Wallpaper\1120039494231.png

--
End of file - 7545 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users