Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Log


  • Please log in to reply
18 replies to this topic

#1 JewelSummoner

JewelSummoner

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 23 October 2007 - 03:44 PM

hello, i thought i would post my log and make sure everything is fine :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:38:18, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5112.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wt32exe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NVATray.exe
C:\WINDOWS\system32\tblmouse.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CAEB9BA-CBBB-4C8B-80AC-09EE6E427F55}: NameServer = 195.92.195.94,192.168.2.1
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O22 - SharedTaskScheduler: IE Browseui preloader - {240E2B94-741E-4513-B66A-60EC26A9EF26} - C:\WINDOWS\system32\ieframe.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\system32\Wt32exe.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7305 bytes

thanks!

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2007 - 11:19 AM

Hi JewelSummoner and Welcome to the Bleeping Computer!

C:\WINDOWS\services.exe<--- Doesnt look nice.

Have that file scanned at the site below please.
http://www.virutotal.com

Save the results to notepad and post them back here please.


After that,Print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.


#3 JewelSummoner

JewelSummoner
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 25 October 2007 - 03:00 PM

hello cretemonster and thanks for the reply!

scanned the file you requested (i noticed it mentions tibia, this is a online game i play..funny thing is that recently zone alarm is warning me that "C:\WINDOWS\services.exe" is trying to connect to the internet and this only tries to connect when i play tibia, at first i thought its some sort of keylogger as tibia requires an account but when i denied it access it makes my gameplay really slow so now i just let it connect) ive played tibia for years but this is only recent which is worrying

Antivirus Version Last Update Result
AhnLab-V3 2007.10.26.0 2007.10.25 Win-Trojan/Tibia.88614
AntiVir 7.6.0.27 2007.10.25 -
Authentium 4.93.8 2007.10.25 -
Avast 4.7.1074.0 2007.10.25 Win32:Delf-GBB
AVG 7.5.0.503 2007.10.25 Generic7.LZB
BitDefender 7.2 2007.10.25 Trojan.Agent.AFGG
CAT-QuickHeal 9.00 2007.10.25 Trojan.Delf.baa
ClamAV 0.91.2 2007.10.25 Trojan.Delf-1689
DrWeb 4.44.0.09170 2007.10.25 -
eSafe 7.0.15.0 2007.10.22 -
eTrust-Vet 31.2.5241 2007.10.25 -
Ewido 4.0 2007.10.25 Trojan.Tibia.ar
FileAdvisor 1 2007.10.25 -
Fortinet 3.11.0.0 2007.10.19 W32/Delf.BAA!tr
F-Prot 4.3.2.48 2007.10.25 W32/Trojan.CGKB
F-Secure 6.70.13030.0 2007.10.25 Trojan.Win32.Delf.baa
Ikarus T3.1.1.12 2007.10.25 Trojan-Downloader.Win32.Small.dbv
Kaspersky 7.0.0.125 2007.10.25 Trojan.Win32.Delf.baa
McAfee 5149 2007.10.25 -
Microsoft 1.2908 2007.10.25 -
NOD32v2 2617 2007.10.25 -
Norman 5.80.02 2007.10.25 W32/Delf.AQJU
Panda 9.0.0.4 2007.10.25 Trj/Downloader.MDW
Prevx1 V2 2007.10.25 -
Rising 19.46.31.00 2007.10.25 Trojan.Win32.Delf.baa
Sophos 4.22.0 2007.10.25 -
Sunbelt 2.2.907.0 2007.10.24 -
Symantec 10 2007.10.25 -
TheHacker 6.2.9.107 2007.10.25 -
VBA32 3.12.2.4 2007.10.25 Trojan.Win32.Delf.baa
VirusBuster 4.3.26:9 2007.10.25 -
Webwasher-Gateway 6.6.1 2007.10.25 -
Additional information
File size: 289557 bytes
MD5: c8542f133275aa7164c7c6310db56d56
SHA1: 4183a2082d9eab13edc8d4cc8314b5cd117cb778

-------------------------------------------------------------------------------


SDFix: Version 1.112

Run by NARAN on Fri 10/26/2007 at 20:08

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\emdat.tm - Deleted
C:\WINDOWS\services.exe - Deleted
C:\WINDOWS\system32\hook.dll - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"="C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 17 Jan 2003 74 A..H. --- "C:\WINDOWS\NIWDEYU.DLL"
Wed 1 Mar 2006 71,168 ..SHR --- "C:\Program Files\PPLive TV\Setup.exe"
Mon 30 May 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 2 Jul 2007 28,672 ...H. --- "C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\~WRL0723.tmp"
Mon 23 May 2005 62 A.SH. --- "C:\Documents and Settings\TEMP.76-LAMORNA-GRV.001\Start Menu\prf25.tmp"
Mon 23 May 2005 206 A.SH. --- "C:\Documents and Settings\TEMP.76-LAMORNA-GRV.001\Start Menu\Programs\prf18.tmp"
Mon 30 May 2005 4,348 ...H. --- "C:\Documents and Settings\NARAN\My Documents\My Music\License Backup\drmv1key.bak"
Mon 30 May 2005 20 A..H. --- "C:\Documents and Settings\NARAN\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 30 May 2005 488 ...H. --- "C:\Documents and Settings\NARAN\My Documents\My Music\License Backup\drmv2key.bak"
Mon 30 May 2005 1,536 A..H. --- "C:\Documents and Settings\NARAN\My Documents\My Music\License Backup\drmv2lic.bak"
Mon 23 May 2005 84 A.SH. --- "C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Start Menu\Programs\Accessories\Entertainment\prf1D.tmp"

Finished!

-------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:48:58, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5112.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wt32exe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NVATray.exe
C:\WINDOWS\system32\tblmouse.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CAEB9BA-CBBB-4C8B-80AC-09EE6E427F55}: NameServer = 195.92.195.94,192.168.2.1
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O22 - SharedTaskScheduler: IE Browseui preloader - {240E2B94-741E-4513-B66A-60EC26A9EF26} - C:\WINDOWS\system32\ieframe.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\system32\Wt32exe.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 6992 bytes

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2007 - 05:19 PM

If you dont mind,Id like a better look inside there.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#5 JewelSummoner

JewelSummoner
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 26 October 2007 - 10:24 AM

hello! as requested

ComboFix 07-10-23.2 - NARAN 2007-10-26 15:53:04.1 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\msnmsgr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.

2007-10-26 20:07 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-26 15:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 17:14 <DIR> d-------- C:\Program Files\Asprate
2007-10-10 12:51 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 19:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 19:44 --------- d-----w C:\Program Files\Stardock
2007-10-26 19:39 --------- d-----w C:\Program Files\Winamp
2007-10-26 19:37 --------- d-----w C:\Program Files\Replay Music 2
2007-10-26 19:36 --------- d-----w C:\Program Files\Ulead Systems
2007-10-26 19:36 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-10-26 19:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-26 12:02 --------- d-----w C:\Program Files\Zoom Player
2007-10-15 23:00 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-09-23 19:02 200,080 ----a-w C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Application Data\GDIPFONTCACHEV1.DAT
2007-09-18 23:24 --------- d-----w C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Application Data\uTorrent
2007-09-16 10:20 --------- d-----w C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Application Data\Tibia
2007-09-09 22:48 --------- d-----w C:\Program Files\Tibia Auto
2007-09-09 22:23 --------- d-----w C:\Program Files\Tibia7.5
2007-09-02 00:57 --------- d-----w C:\Program Files\TibiaTek Bot DevTeam
2005-09-16 23:35 8,224 ----a-w C:\Documents and Settings\NARAN\Application Data\GDIPFONTCACHEV1.DAT
2004-02-01 14:00 81,920 ----a-w C:\Documents and Settings\NARAN\Application Data\hruo.exe
2003-06-02 16:06 809 ----a-w C:\Program Files\INSTALL.LOG
2002-12-10 21:19 40 ----a-w C:\Documents and Settings\NARAN\language.dat
2002-12-07 18:42 13,195 ----a-w C:\Documents and Settings\NARAN\zguicfgw.dat
2004-01-03 21:59:24 56 --sha-r C:\WINDOWS\system32\6FB737BE43.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 13:12]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2001-11-28 11:43 C:\WINDOWS\system32\NVATray.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"tblfunc"="tblmouse.exe" [2001-08-21 13:56 C:\WINDOWS\system32\tblmouse.exe]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-08-29 19:09]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-01-18 17:47]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-01-18 17:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2007-01-14 23:51]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoResolveTrack"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{240E2B94-741E-4513-B66A-60EC26A9EF26}"= %SystemRoot%\system32\ieframe.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\InterMute\SpySubtract\sshook.dll [2004-01-05 14:35 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOWS\system32\srr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders , digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
"C:\Program Files\a2\a2guard.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys
R1 AluriaFilter;AluriaFilter;C:\WINDOWS\system32\DRIVERS\AlurFltr.sys
R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys
R2 SVKP;SVKP;\??\C:\WINDOWS\system32\SVKP.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
S2 EZUSB;Cypress General Purpose USB Driver (ezusb.sys);C:\WINDOWS\system32\Drivers\ezusb.sys
S2 EZUSBDEV;Cypress General Purpose USB Driver w/ Keil Monitor (ezusb.sys);C:\WINDOWS\system32\Drivers\ezusb.sys
S3 Cap7134;Cap7134 Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
S3 NikeDrv;nike psa[play driver;C:\WINDOWS\system32\Drivers\NikeDrv.sys
S3 PhTVTune;Tevion WDM TVTuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys
S3 SGUARD;SGUARD;\??\C:\WINDOWS\system32\drivers\SGuard.sys
S3 tablet;Serial Tablet Driver;C:\WINDOWS\system32\DRIVERS\tablet.sys
S3 tbfilter;Tablet Filter Driver;C:\WINDOWS\system32\DRIVERS\tbfilter.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command - D:\Setup.exe

*Newly Created Service* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{26923b43-4d38-484f-9b9e-de460746276c}]
"%programfiles%\Internet Explorer\iexplore.exe" -userconfig
.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 16:27:02 C:\WINDOWS\Tasks\1-Click Maintenance.job"
"2004-01-03 00:36:01 C:\WINDOWS\Tasks\RegistryMedicAuotScan.job"
- C:\Program Files\Iomatic\Registry Medic\RegMedical.exe
"2004-02-07 23:29:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 16:10:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-26 16:16:48 - machine was rebooted
.
--- E O F ---
--------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:21:44, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5112.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wt32exe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NVATray.exe
C:\WINDOWS\system32\tblmouse.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CAEB9BA-CBBB-4C8B-80AC-09EE6E427F55}: NameServer = 195.92.195.94,192.168.2.1
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O22 - SharedTaskScheduler: IE Browseui preloader - {240E2B94-741E-4513-B66A-60EC26A9EF26} - C:\WINDOWS\system32\ieframe.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\system32\Wt32exe.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 6694 bytes

Edited by JewelSummoner, 26 October 2007 - 02:24 PM.


#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2007 - 03:26 PM

Tell me a little about the setup on this computer??

That user account you posting from has quite a strange look to it.

#7 JewelSummoner

JewelSummoner
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 26 October 2007 - 04:47 PM

uhh the computer has 4 users which all are admin and i only use the one called naran i dont really know what else to say :thumbsup: but the zone alarm warning about 'services' has stopped each time i play tibia

Edited by JewelSummoner, 26 October 2007 - 04:49 PM.


#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 October 2007 - 03:21 AM

Definatly different...just havent seen a user account like that before,I assume everyone can login OK and get around the computer ok?


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#9 JewelSummoner

JewelSummoner
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 30 October 2007 - 08:22 AM

sorry for the late reply crete! im the only one who uses the computer and i use the account naran and yes everything works fine :thumbsup:

Posted Image

keep getting this error when running the scan on IE

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 October 2007 - 02:37 PM

Give the Panda Total Scan a try.
http://www.nanoscan.com/as/v1/principal.aspx

#11 JewelSummoner

JewelSummoner
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 31 October 2007 - 11:00 AM

hello crete, i ran panda total scan in firefox but for it to clean up i needed to buy it so ill just post the results, also posting a log from ad-aware and another hijack one for good measure.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-10-31 15:32:24
PROTECTIONS: 2
MALWARE: 45
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ZoneAlarm Security Suite Antivirus 6.0.667.000 Yes No
avast! antivirus 4.6.652 [VPS 0520-4] 4.6.652 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00000431 adware/ist.istbar Adware No 1 Yes No HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contentmatch.net\ny\https
00020942 adware/exact.bargainbuddy Adware No 0 Yes No c:\windows\msxct1.ini
00026523 Trj/HDFiller Virus/Trojan No 1 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\hask\hdfiller.zip[hdfill.Exe]
00026523 Trj/HDFiller Virus/Trojan No 1 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\hask\hdfiller.zip[hdfill2.Exe]
00029228 adware/mediatickets Adware No 1 Yes No HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contentmatch.net\ny\https
00050330 Trj/BAT.Munga Virus/Trojan No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\hask\harddiskkiller4.zip[hdkp_4.bat]
00053880 Trj/Runner.Small Virus/Trojan No 1 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\hask\harddiskkiller4.zip[hdkp4.exe]
00064455 Adware/SAHAgent Adware No 0 Yes No C:\WINDOWS\inf\biR.inf
00064455 Adware/SAHAgent Adware No 0 Yes No C:\WINDOWS\inf\biS.inf
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\WINDOWS\system32\drivers\etc\hosts.20040106-153555.backup
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\WINDOWS\system32\drivers\etc\hosts.20040110-225913.backup
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\WINDOWS\system32\drivers\etc\hosts.20040110-180319.backup
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\WINDOWS\system32\drivers\etc\hosts.20040110-225844.backup
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\WINDOWS\system32\drivers\etc\hosts.20040110-170734.backup
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\WINDOWS\system32\drivers\etc\hosts.20040110-170738.backup
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\WINDOWS\system32\drivers\etc\hosts.20040105-103347.backup
00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP917\A0333450.exe[SDFix\apps\Process.exe]
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Cookies\naran@tradedoubler[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Cookies\naran@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Cookies\naran@tribalfusion[1].txt
00145745 Cookie/OfferOptimizer TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@offeroptimizer[1].txt
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@belnk[2].txt
00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@dist.belnk[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@com[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Cookies\naran@ad.yieldmanager[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@burstnet[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Cookies\naran@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Cookies\naran@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Cookies\naran@bs.serving-sys[1].txt
00170087 Cookie/Hbmediapro TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@adopt.hbmediapro[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Cookies\naran@overture[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Cookies\naran@questionmarket[2].txt
00184934 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\.jpi_cache\jar\1.0\ie0502b.jar-35b62376-7711ac38.zip[NewURLClassLoader.class]
00184935 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\.jpi_cache\jar\1.0\ie0502b.jar-35b62376-7711ac38.zip[NewSecurityClassLoader.class]
00196960 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@ath.belnk[2].txt
00199231 HackTool/EvID HackTools No 0 No No C:\Program Files\PPLive TV\SynaLiveSetup.exe[EvID4226Patch.exe]
00199231 HackTool/EvID HackTools No 0 Yes No C:\Program Files\Common Files\Synacast\SynaLive\EvID4226Patch.exe
00209349 Trj/SendPac.A Virus/Trojan No 0 Yes No C:\Documents and Settings\NARAN\Desktop\stuff\TibiaSuite\packet.dll
00221312 Adware/Bitamobar Adware No 0 Yes No C:\WINDOWS\system32\autoupdatev2.exe
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@atwola[1].txt
00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Cookies\naran@cgi-bin[1].txt
00385454 Adware/Startpage.CTK Adware No 1 Yes No C:\WINDOWS\Downloaded Program Files\CONFLICT.3\geaccess.exe
00407065 Adware/GoodSearchNow Adware No 1 No No C:\Documents and Settings\NARAN\My Documents\My Received Files\Biffbot2.rar[packet.dll]
00549844 Trj/Lineage.EAQ Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP865\A0326688.dll
00549844 Trj/Lineage.EAQ Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP823\A0318924.dll
00561664 Bck/Hupigon.AZG Virus/Trojan No 1 Yes No C:\Program Files\HyperSnap-DX 5\Trial-Reset.exe
00585891 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\WWW File Share Pro\crack.exe
00810279 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\Tibia\madCHook.dll
00810279 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\NARAN\Desktop\TibiaBotNG.zip[madCHook.dll]
00810279 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\Tibia1\madCHook.dll
00815796 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Documents and Settings\NARAN\Desktop\stuff\TibiaSuite\TibiaSuite.exe
00815796 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Documents and Settings\NARAN\My Documents\My Received Files\TibiaSuite.zip[TibiaSuite.exe]
00868118 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\Downloaded Program Files\gsda.dll
01074988 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\WinRAR\patch-tod.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\NirCmd.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP917\A0333448.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP917\A0333448.exe[nircmd.cfexe]
02002196 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\HyperSnap-DX 5\loader.exe
02002721 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP823\A0318923.dll
02002721 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP865\A0326687.dll
02309226 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP828\A0319967.exe
02309226 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP910\A0332397.exe
02309226 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP910\A0332403.exe
02309226 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\SDFix\backups\backups.zip[backups/services.exe]
02309226 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP830\A0320968.exe
02426923 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{E24E15E8-DF5C-44C6-8F4F-6713AC3BF17F}\{F3AEAD4F-A5F9-4478-95EA-EBFFB72BD819}.bak[{F3AEAD4F-A5F9-4478-95EA-EBFFB72BD819}.bak]
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================


Ad-Aware SE Build 1.06r1
Logfile Created on:31 October 2007 15:47:04
Using definitions file:SE1R200 29.10.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):28 total references
Tracking Cookie(TAC index:3):11 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects


10-31-2007 15:47:04 - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 832
ThreadCreationTime : 1-1-2000 00:02:05
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1180
ThreadCreationTime : 1-1-2000 00:02:08
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1340
ThreadCreationTime : 1-1-2000 00:02:09
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1472
ThreadCreationTime : 1-1-2000 00:02:10
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1532
ThreadCreationTime : 1-1-2000 00:02:10
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 788
ThreadCreationTime : 1-1-2000 00:02:13
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1028
ThreadCreationTime : 1-1-2000 00:02:14
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1244
ThreadCreationTime : 1-1-2000 00:02:14
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1640
ThreadCreationTime : 1-1-2000 00:02:15
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1892
ThreadCreationTime : 1-1-2000 00:02:16
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 564
ThreadCreationTime : 1-1-2000 00:02:18
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [wlservice.exe]
FilePath : C:\Program Files\Belkin\F5D7051\
ProcessID : 992
ThreadCreationTime : 1-1-2000 00:02:19
BasePriority : Normal


#:13 [cdac11ba.exe]
FilePath : C:\WINDOWS\system32\drivers\
ProcessID : 1040
ThreadCreationTime : 1-1-2000 00:02:19
BasePriority : Normal
FileVersion : 4.20.0
ProductVersion : 4.20.0 Windows NT 2002/07/15
ProductName : SafeCast Windows NT
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright © 1998-2002 Macrovision Corp.
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:14 [wlancfgg.exe]
FilePath : C:\Program Files\Belkin\F5D7051\
ProcessID : 1060
ThreadCreationTime : 1-1-2000 00:02:19
BasePriority : Normal
FileVersion : 1, 0, 7, 4
ProductVersion : 1, 0, 7, 4
ProductName : Wireless Monitor Application
FileDescription : Wireless Monitor Application
InternalName : WLanCfg
LegalCopyright : Copyright © 2002.08
OriginalFilename : WLanCfg.EXE

#:15 [isafe.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ProcessID : 1104
ThreadCreationTime : 1-1-2000 00:02:19
BasePriority : Normal
FileVersion : Version 10.67.0.0
ProductVersion : Version 10.67.0.0
ProductName : ISafe
CompanyName : Computer Associates International, Inc.
FileDescription : ISafe Service
InternalName : ISafe
LegalCopyright : © 2003 Computer Associates International, Inc.
LegalTrademarks : Vet is a trademark of Computer Associates International, Inc.
OriginalFilename : ISafe.exe
Comments : ISafe

#:16 [dkservice.exe]
FilePath : C:\Program Files\Executive Software\Diskeeper\
ProcessID : 1224
ThreadCreationTime : 1-1-2000 00:02:20
BasePriority : Normal
FileVersion : 9.0.524.0
ProductVersion : 9.0.524.0
ProductName : Diskeeper ™ Disk Defragmenter
CompanyName : Executive Software International, Inc.
FileDescription : DKSERVICE.EXE
InternalName : DKSERVICE
LegalCopyright : © 1995-2005 Executive Software Int'l, Inc.
OriginalFilename : DKSERVICE

#:17 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 1844
ThreadCreationTime : 1-1-2000 00:02:23
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:18 [nvsvc32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1940
ThreadCreationTime : 1-1-2000 00:02:24
BasePriority : Normal
FileVersion : 6.14.10.9371
ProductVersion : 6.14.10.9371
ProductName : NVIDIA Driver Helper Service, Version 93.71
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 93.71
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:19 [pctspk.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 184
ThreadCreationTime : 1-1-2000 00:02:25
BasePriority : Normal
FileVersion : 4.00
ProductVersion : 4.00
ProductName : PCTSPK.EXE
CompanyName : PCtel, Inc.
FileDescription : PCTSPK.EXE
InternalName : PCTSPK.EXE
LegalCopyright : Copyright ©PCtel,Inc. 1999-2000
OriginalFilename : PCTSPK.EXE

#:20 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1232
ThreadCreationTime : 1-1-2000 00:02:31
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:21 [wt32exe.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1436
ThreadCreationTime : 1-1-2000 00:02:31
BasePriority : Realtime
FileVersion : 1, 5, 0, 0
ProductVersion : 1, 0, 0, 1
ProductName : Aiptek wt32exe
CompanyName : Aiptek
FileDescription : wt32exe
InternalName : wt32exe
LegalCopyright : Copyright c 2000
OriginalFilename : wt32exe.exe

#:22 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1124
ThreadCreationTime : 1-1-2000 00:02:47
BasePriority : Normal
FileVersion : 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)
ProductVersion : 6.00.2900.3156
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:23 [wwsecure.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 328
ThreadCreationTime : 1-1-2000 00:03:08
BasePriority : Normal
FileVersion : 6.0.1.2
ProductVersion : 6.0.1.1
CompanyName : Webroot Software, Inc.
FileDescription : Washer Security Service
InternalName : wwSecure.exe
LegalCopyright : © 1997, 2005 All Rights Reserved

#:24 [pdsched.exe]
FilePath : C:\Program Files\Raxco\PerfectDisk\
ProcessID : 492
ThreadCreationTime : 1-1-2000 00:03:10
BasePriority : Normal
FileVersion : 7, 0, 0, 40
ProductVersion : 7, 0, 0, 40
ProductName : PDSched Module
CompanyName : Raxco Software, Inc.
FileDescription : PDSched Module
InternalName : PDSched
LegalCopyright : Copyright © 2004
OriginalFilename : PDSched.exe

#:25 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1556
ThreadCreationTime : 1-1-2000 00:03:47
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:26 [nvatray.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1304
ThreadCreationTime : 1-1-2000 00:03:51
BasePriority : Normal
FileVersion : 5.10.2813.0
ProductVersion : 5.10.2813.0
ProductName : NVIDIA® nForce™ Audio Driver
CompanyName : NVIDIA® Corporation
FileDescription : NV Audio Panel Tray Application
InternalName : NVIDIA® nForce™ Audio Driver
LegalCopyright : Copyright© 2000-2001 NVIDIA® Corporation
OriginalFilename : nvatray.exe

#:27 [tblmouse.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2340
ThreadCreationTime : 1-1-2000 00:03:56
BasePriority : Normal
FileVersion : 5, 2, 4, 1
ProductVersion : 1, 0, 0, 1
ProductName : Tblmouse
FileDescription : Tblmouse
InternalName : Tblmouse
LegalCopyright : Copyright c 1999
OriginalFilename : Tblmouse.exe
Comments : All

#:28 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 2540
ThreadCreationTime : 1-1-2000 00:04:04
BasePriority : Normal
FileVersion : 1.00.0701
ProductVersion : 1.00.0701
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:29 [lvcomsx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2544
ThreadCreationTime : 1-1-2000 00:04:04
BasePriority : Normal
FileVersion : 8.4.1.1092
ProductVersion : 8.4.1.1092
ProductName : Logitech QuickCam
CompanyName : Logitech Inc.
FileDescription : LVCom Server
InternalName : LVComS.exe
LegalCopyright : © 1996-2004 Logitech. All rights reserved.
OriginalFilename : LVComS.exe

#:30 [logitray.exe]
FilePath : C:\Program Files\Logitech\Video\
ProcessID : 3796
ThreadCreationTime : 1-1-2000 00:04:39
BasePriority : Normal
FileVersion : 8.4.6.1012
ProductVersion : 8.4.6.1012
ProductName : Logitech QuickCam
CompanyName : Logitech Inc.
FileDescription : ImageStudio Tray Application
InternalName : LogiTray.exe
LegalCopyright : © 1996-2005 Logitech. All rights reserved.
OriginalFilename : LogiTray.exe

#:31 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_03\bin\
ProcessID : 3988
ThreadCreationTime : 1-1-2000 00:04:40
BasePriority : Normal


#:32 [qttask.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1368
ThreadCreationTime : 1-1-2000 00:04:42
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:33 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2124
ThreadCreationTime : 1-1-2000 00:04:43
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:34 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2412
ThreadCreationTime : 1-1-2000 00:04:46
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:35 [fxsvr2.exe]
FilePath : C:\Program Files\Logitech\Video\
ProcessID : 2696
ThreadCreationTime : 1-1-2000 00:05:39
BasePriority : Normal
FileVersion : 8.4.6.1012
ProductVersion : 8.4.6.1012
ProductName : Logitech QuickCam
CompanyName : Logitech Inc.
FileDescription : QuickCam Framework Server
InternalName : FxSvr.EXE
LegalCopyright : © 1996-2005 Logitech. All rights reserved.
OriginalFilename : FxSvr.EXE

#:36 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ProcessID : 2596
ThreadCreationTime : 10-31-2007 12:51:45
BasePriority : Normal
FileVersion : 6.0.667.000
ProductVersion : 6.0.667.000
ProductName : Zone Labs Client
CompanyName : Zone Labs, LLC
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
OriginalFilename : zlclient.exe

#:37 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ProcessID : 1724
ThreadCreationTime : 10-31-2007 12:52:03
BasePriority : Normal
FileVersion : 6.0.667.000
ProductVersion : 6.0.667.000
ProductName : TrueVector Service
CompanyName : Zone Labs, LLC
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
OriginalFilename : vsmon.exe

#:38 [mantispm.exe]
FilePath : C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\
ProcessID : 680
ThreadCreationTime : 10-31-2007 12:55:55
BasePriority : Normal
FileVersion : 4, 7, 1, 6235
ProductVersion : 4, 7, 1, 6235
FileDescription : Spam Filter
InternalName : mantispm.exe
LegalCopyright : © 2002-2004
OriginalFilename : mantispm.exe

#:39 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 556
ThreadCreationTime : 10-31-2007 13:08:59
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:40 [opera.exe]
FilePath : C:\Program Files\Opera\
ProcessID : 1176
ThreadCreationTime : 10-31-2007 15:38:28
BasePriority : Normal
FileVersion : 8552
ProductVersion : 9.01
ProductName : Opera Internet Browser
CompanyName : Opera Software
FileDescription : Opera Internet Browser
InternalName : Opera
LegalCopyright : Copyright © Opera Software 1995-2006
OriginalFilename : Opera.exe

#:41 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Professional\
ProcessID : 884
ThreadCreationTime : 10-31-2007 15:46:04
BasePriority : Normal
FileVersion : 6.2.0.238
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : naran@overture[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:naran@overture.com/
Expires : 10-22-2017 11:51:54
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : naran@bs.serving-sys[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:naran@bs.serving-sys.com/
Expires : 12-31-2037 22:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : naran@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:naran@tradedoubler.com/
Expires : 10-20-2027 11:53:18
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : naran@www.burstnet[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:naran@www.burstnet.com/
Expires : 11-3-2007 14:10:06
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : naran@questionmarket[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:naran@questionmarket.com/
Expires : 12-15-2008 08:48:28
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : naran@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:naran@fastclick.net/
Expires : 10-26-2009 14:09:52
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : naran@serving-sys[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:naran@serving-sys.com/
Expires : 12-31-2037 22:00:00
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : naran@ad.yieldmanager[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:naran@ad.yieldmanager.com/
Expires : 10-24-2009 18:41:02
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : naran@adserve.v-store.co[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:naran@adserve.v-store.co.uk/
Expires : 10-26-2009 14:10:24
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : naran@boldchat[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:naran@boldchat.com/
Expires : 10-24-2008 11:55:48
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : naran@tribalfusion[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:naran@tribalfusion.com/
Expires : 10-26-2008 14:10:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 11
Objects found so far: 11



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11

Disk Scan Result for C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11

Disk Scan Result for C:\DOCUME~1\TEMP76~1.000\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 11



MRU List Object Recognized!
Location: : C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\jasc\animation shop 3\recent file list
Description : list of recently used files in jasc animation shop


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\office\10.0\clip organizer\search\last query
Description : last query in microsoft clip organizer


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\office\10.0\common\general
Description : list of recently used symbols in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\insert picture\file name mru
Description : list of recent pictured inserted in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\office\10.0\powerpoint\recent templates
Description : list of recent templates used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\office\10.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\office\10.0\powerpoint\recentfolderlist
Description : list of recent folders used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\office\10.0\powerpoint\recenttemplatelist
Description : list of recent templates used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-823518204-179605362-1801674531-1004\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 39

15:56:12 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:08.47
Objects scanned:128232
Objects identified:11
Objects ignored:0
New critical objects:11

---------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:37:38, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5112.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wt32exe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\NVATray.exe
C:\WINDOWS\system32\tblmouse.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CAEB9BA-CBBB-4C8B-80AC-09EE6E427F55}: NameServer = 195.92.195.94,192.168.2.1
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O22 - SharedTaskScheduler: IE Browseui preloader - {240E2B94-741E-4513-B66A-60EC26A9EF26} - C:\WINDOWS\system32\ieframe.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\system32\Wt32exe.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 6823 bytes

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 01 November 2007 - 01:18 PM

Looks like you better be more careful what you download!

All these appear to be infected:

C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\hask\harddiskkiller4.zip
C:\Program Files\PPLive TV\SynaLiveSetup.exe[EvID4226Patch.exe]
C:\Program Files\Common Files\Synacast\SynaLive\EvID4226Patch.exe
C:\Documents and Settings\NARAN\Desktop\stuff\TibiaSuite\packet.dll
C:\Documents and Settings\NARAN\Desktop\TibiaBotNG.zip

Please locate and delete this archive:

C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\.jpi_cache\jar\1.0\ie0502b.jar-35b62376-7711ac38.zip

Copy the text below to notepad and save it to the desktop with the name CFScript.txt

File::
c:\windows\msxct1.ini
C:\WINDOWS\inf\biR.inf
C:\WINDOWS\inf\biS.inf
C:\WINDOWS\system32\autoupdatev2.exe
C:\WINDOWS\system32\drivers\etc\hosts.20040106-153555.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-225913.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-180319.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-225844.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-170734.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-170738.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040105-103347.backup
C:\Program Files\HyperSnap-DX 5\Trial-Reset.exe
C:\Program Files\WWW File Share Pro\crack.exe
C:\WINDOWS\Downloaded Program Files\gsda.dll
C:\Program Files\WinRAR\patch-tod.exe
C:\Program Files\HyperSnap-DX 5\loader.exe
Folder::
C:\WINDOWS\Downloaded Program Files\CONFLICT.3
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contentmatch.net]

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and run the Panda Scan once more please,post that log when completed.

#13 JewelSummoner

JewelSummoner
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 02 November 2007 - 04:09 PM

hiya crete!

i deleted the file ie0502b.jar-35b62376-7711ac38.zip with the software killbox and did what you asked with combofix and ran panda scan again

ComboFix 07-10-23.2 - NARAN 2007-11-02 16:23:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.50 [GMT 0:00]
Running from: C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Program Files\HyperSnap-DX 5\loader.exe
C:\Program Files\HyperSnap-DX 5\Trial-Reset.exe
C:\Program Files\WinRAR\patch-tod.exe
C:\Program Files\WWW File Share Pro\crack.exe
C:\WINDOWS\Downloaded Program Files\gsda.dll
C:\WINDOWS\inf\biR.inf
C:\WINDOWS\inf\biS.inf
c:\windows\msxct1.ini
C:\WINDOWS\system32\autoupdatev2.exe
C:\WINDOWS\system32\drivers\etc\hosts.20040105-103347.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040106-153555.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-170734.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-170738.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-180319.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-225844.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-225913.backup
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\HyperSnap-DX 5\loader.exe
C:\Program Files\HyperSnap-DX 5\Trial-Reset.exe
C:\Program Files\WinRAR\patch-tod.exe
C:\Program Files\WWW File Share Pro\crack.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\geaccess.exe
C:\WINDOWS\Downloaded Program Files\gsda.dll
C:\WINDOWS\inf\biR.inf
C:\WINDOWS\inf\biS.inf
c:\windows\msxct1.ini
C:\WINDOWS\system32\autoupdatev2.exe
C:\WINDOWS\system32\drivers\etc\hosts.20040105-103347.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040106-153555.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-170734.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-170738.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-180319.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-225844.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040110-225913.backup
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-10-31 21:19 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-31 13:23 <DIR> d-------- C:\Program Files\Panda Security
2007-10-26 19:07 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-26 14:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 16:14 <DIR> d-------- C:\Program Files\Asprate
2007-10-10 11:51 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 16:32 --------- d-----w C:\Program Files\WWW File Share Pro
2007-11-02 16:32 --------- d-----w C:\Program Files\HyperSnap-DX 5
2007-10-31 21:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 21:11 --------- d-----w C:\Program Files\Trillian
2007-10-31 21:10 --------- d-----w C:\Documents and Settings\NARAN\Application Data\Lavasoft
2007-10-27 22:38 --------- d-----w C:\Program Files\Zoom Player
2007-10-26 19:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 19:44 --------- d-----w C:\Program Files\Stardock
2007-10-26 19:39 --------- d-----w C:\Program Files\Winamp
2007-10-26 19:37 --------- d-----w C:\Program Files\Replay Music 2
2007-10-26 19:36 --------- d-----w C:\Program Files\Ulead Systems
2007-10-26 19:36 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-10-15 23:00 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-09-23 19:02 200,080 ----a-w C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Application Data\GDIPFONTCACHEV1.DAT
2007-09-18 23:24 --------- d-----w C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Application Data\uTorrent
2007-09-16 10:20 --------- d-----w C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Application Data\Tibia
2007-09-09 22:48 --------- d-----w C:\Program Files\Tibia Auto
2007-09-09 22:23 --------- d-----w C:\Program Files\Tibia7.5
2007-09-02 00:57 --------- d-----w C:\Program Files\TibiaTek Bot DevTeam
2005-09-16 23:35 8,224 ----a-w C:\Documents and Settings\NARAN\Application Data\GDIPFONTCACHEV1.DAT
2004-02-01 14:00 81,920 ----a-w C:\Documents and Settings\NARAN\Application Data\hruo.exe
2003-06-02 16:06 809 ----a-w C:\Program Files\INSTALL.LOG
2002-12-10 21:19 40 ----a-w C:\Documents and Settings\NARAN\language.dat
2002-12-07 18:42 13,195 ----a-w C:\Documents and Settings\NARAN\zguicfgw.dat
2004-01-03 21:59:24 56 --sha-r C:\WINDOWS\system32\6FB737BE43.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-26_16.13.55.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-20 05:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 06:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-05-07 16:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 16:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 16:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-10-31 21:22:25 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-10-31 21:22:25 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-10-31 21:22:25 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-10-31 21:22:25 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
- 2006-04-11 23:43:53 4,341 ----a-w C:\WINDOWS\mozver.dat
+ 2007-10-31 13:23:15 5,537 ----a-w C:\WINDOWS\mozver.dat
+ 2007-07-11 14:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 13:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 13:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-04-13 15:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 1999-12-31 23:05:27 62,344 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-27 10:39:32 62,344 ----a-w C:\WINDOWS\system32\perfc009.dat
- 1999-12-31 23:05:28 401,064 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-27 10:39:32 401,064 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-04-02 13:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 14:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
- 2007-10-26 13:10:17 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2007-11-02 15:59:58 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
- 2007-10-26 13:11:21 6,395,627 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2007-11-02 12:48:33 6,524,330 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
- 2007-10-26 13:11:21 6,395,627 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2007-11-02 12:48:33 6,524,330 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2007-11-02 16:38:35 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 12:12]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2001-11-28 10:43 C:\WINDOWS\system32\NVATray.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22]
"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-08-29 18:09]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 10:52]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-01-18 16:47]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-01-18 16:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 02:48]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 10:38]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2007-01-14 22:51]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoResolveTrack"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{240E2B94-741E-4513-B66A-60EC26A9EF26}"= %SystemRoot%\system32\ieframe.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\InterMute\SpySubtract\sshook.dll [2004-01-05 13:35 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOWS\system32\srr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders , digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
"C:\Program Files\a2\a2guard.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command - D:\Setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{26923b43-4d38-484f-9b9e-de460746276c}]
"%programfiles%\Internet Explorer\iexplore.exe" -userconfig
.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 16:15:08 C:\WINDOWS\Tasks\1-Click Maintenance.job"
"2004-01-03 00:36:01 C:\WINDOWS\Tasks\RegistryMedicAuotScan.job"
- C:\Program Files\Iomatic\Registry Medic\RegMedical.exe
"2004-02-07 23:29:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 16:40:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-02 16:50:32 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-26 15:16
.
--- E O F ---
-------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------

;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-11-02 21:04:30
PROTECTIONS: 2
MALWARE: 33
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ZoneAlarm Security Suite Antivirus 6.0.667.000 Yes No
avast! antivirus 4.6.652 [VPS 0520-4] 4.6.652 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00026523 Trj/HDFiller Virus/Trojan No 1 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\hask\hdfiller.zip[hdfill2.Exe]
00026523 Trj/HDFiller Virus/Trojan No 1 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\hask\hdfiller.zip[hdfill.Exe]
00050330 Trj/BAT.Munga Virus/Trojan No 0 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\hask\harddiskkiller4.zip[hdkp_4.bat]
00053880 Trj/Runner.Small Virus/Trojan No 1 Yes No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\hask\harddiskkiller4.zip[hdkp4.exe]
00064455 Adware/SAHAgent Adware No 0 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP935\A0339051.inf
00064455 Adware/SAHAgent Adware No 0 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP935\A0339052.inf
00064455 Adware/SAHAgent Adware No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\inf\biR.inf.vir
00064455 Adware/SAHAgent Adware No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\inf\biS.inf.vir
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20040110-170734.backup.vir
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20040105-103347.backup.vir
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20040106-153555.backup.vir
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20040110-225913.backup.vir
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20040110-170738.backup.vir
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20040110-225844.backup.vir
00136897 Trj/Qhost.Y Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20040110-180319.backup.vir
00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP917\A0333450.exe[SDFix\apps\Process.exe]
00145745 Cookie/OfferOptimizer TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@offeroptimizer[1].txt
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@belnk[2].txt
00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@dist.belnk[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@com[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@burstnet[1].txt
00170087 Cookie/Hbmediapro TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@adopt.hbmediapro[2].txt
00184934 Exploit/ByteVerify HackTools No 0 Yes No C:\!KillBox\ie0502b.jar-35b62376-7711ac38[NewURLClassLoader.class]
00184935 Exploit/ByteVerify HackTools No 0 Yes No C:\!KillBox\ie0502b.jar-35b62376-7711ac38[NewSecurityClassLoader.class]
00196960 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@ath.belnk[2].txt
00199231 HackTool/EvID HackTools No 0 Yes No C:\Program Files\Common Files\Synacast\SynaLive\EvID4226Patch.exe
00199231 HackTool/EvID HackTools No 0 No No C:\Program Files\PPLive TV\SynaLiveSetup.exe[EvID4226Patch.exe]
00209349 Trj/SendPac.A Virus/Trojan No 0 Yes No C:\Documents and Settings\NARAN\Desktop\stuff\TibiaSuite\packet.dll
00221312 Adware/Bitamobar Adware No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\autoupdatev2.exe.vir
00221312 Adware/Bitamobar Adware No 0 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP935\A0339054.exe
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\NARAN\Cookies\naran@atwola[1].txt
00385454 Adware/Startpage.CTK Adware No 1 Yes No C:\qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\CONFLICT.3\geaccess.exe.vir
00407065 Adware/GoodSearchNow Adware No 1 No No C:\Documents and Settings\NARAN\My Documents\My Received Files\Biffbot2.rar[packet.dll]
00549844 Trj/Lineage.EAQ Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP865\A0326688.dll
00549844 Trj/Lineage.EAQ Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP823\A0318924.dll
00561664 Bck/Hupigon.AZG Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP935\A0339048.exe
00561664 Bck/Hupigon.AZG Virus/Trojan No 1 Yes No C:\qoobox\Quarantine\C\Program Files\HyperSnap-DX 5\Trial-Reset.exe.vir
00585891 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP935\A0339050.exe
00585891 Generic Trojan Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\Program Files\WWW File Share Pro\crack.exe.vir
00810279 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\Tibia\madCHook.dll
00810279 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\Tibia1\madCHook.dll
00810279 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\NARAN\Desktop\TibiaBotNG.zip[madCHook.dll]
00815796 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Documents and Settings\NARAN\My Documents\My Received Files\TibiaSuite.zip[TibiaSuite.exe]
00815796 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Documents and Settings\NARAN\Desktop\stuff\TibiaSuite\TibiaSuite.exe
00868118 Generic Trojan Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\gsda.dll.vir
01074988 Generic Trojan Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\Program Files\WinRAR\patch-tod.exe.vir
01074988 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP935\A0339049.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\NirCmd.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP934\A0339041.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP917\A0333448.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP917\A0333448.exe[nircmd.cfexe]
02002196 Generic Trojan Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\Program Files\HyperSnap-DX 5\loader.exe.vir
02002196 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP935\A0339047.exe
02002721 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP865\A0326687.dll
02002721 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP823\A0318923.dll
02309226 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP828\A0319967.exe
02309226 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\SDFix\backups\backups.zip[backups/services.exe]
02309226 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP830\A0320968.exe
02309226 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP910\A0332397.exe
02309226 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{7A6C9903-FC12-408F-864F-348C0BA1C733}\RP910\A0332403.exe
02426923 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{E24E15E8-DF5C-44C6-8F4F-6713AC3BF17F}\{F3AEAD4F-A5F9-4478-95EA-EBFFB72BD819}.bak[{F3AEAD4F-A5F9-4478-95EA-EBFFB72BD819}.bak]
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Edited by JewelSummoner, 02 November 2007 - 04:11 PM.


#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 04 November 2007 - 05:01 AM

Remind me in the next post,I need to repair some registry settings to default,first I have to find out how to do such a task. :thumbsup:

What is this?
C:\Documents and Settings\TEMP.76-LAMORNA-GRV.000\Desktop\hask\hdfiller.zip

#15 JewelSummoner

JewelSummoner
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 04 November 2007 - 08:19 AM

hmm! in the folder hask i have another zip called harddiskkiller so i assume they are all viruses i downloaded, i deleted the whole folder

as requested ill remind you of repairing some registry settings

thanks for all the help so far mate




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users