Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection By Several Malware


  • Please log in to reply
17 replies to this topic

#1 AbeN468

AbeN468

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:06:56 AM

Posted 06 November 2007 - 02:32 AM

Hello,
My computer was recently infected by several different things. I came home one night to find there were several viruses detected and my computer was getting popups to buy a spyware removal program for 20 Euros. I think some kids who were over had somehow gone to a website that infected my computer like this. I was using Norton AV2k2 (pretty old version I know), which I uninstalled after I cleaned my system up a bit, since it's pretty useless. I'll download one of the free antiviruses that I've heard about after I'm sure all the traces are gone. Some of the things that Norton came up with were Hacktool.Rootkit and Trojan.Peacomm.B. Anyway, I shut down my computer, disconnected from the network, and went over to Safe Mode, ran Spybot S&D, and took all the recommended fixes. If the results from Spybot are needed I have that logfile as well, but it basically detected: Aconti, 7FaSSt, SWAgent, Deskwizz, Smitfraud-C, Accoona, a registry change that stopped me from opening taskmanager, AdBreak, INetSpeak, and CnsMin. This wasn't quite enough. I think a particular process was still being run in Safe Mode called vvgeowbv.exe because the problems still continued. So long story short, I searched for files that were last modified on the day (11/2) and pretty much deleted everything from the time 10:42PM along with some other suspicious files. There were several things under the WINDOWS folder(s) as well as _install.exe files all over the place. I'm pretty confident I deleted most of the files, and at the very least I stopped the thing from running. I ran Spybot and Webroot's Spysweeper to do another cleaning. My computer appears to be running normally now, but I want to make sure there aren't any traces left over that could cause me trouble later. Here's my HJT log, thanks for any help/suggestions in advance!
-Abe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:50 PM, on 11/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
P:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Razer\razerhid.exe
P:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
P:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\Razer\razerofa.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - P:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "P:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [NetLimiter] P:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] "P:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [noskrnl] C:\WINDOWS\noskrnl.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: trillian.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Kirby Alarm.lnk = P:\Program Files\Kirby Alarm\kirbyalarm.exe
O8 - Extra context menu item: Download All by FlashGet - P:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - P:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6064 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 06 November 2007 - 06:38 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum AbeN468
My name is Richie and i'll be helping you to fix your problems.

You have a Backdoor Trojan present on your pc
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

If you want us to go ahead and clean up your system then fair enough,but there’s no way I can guarantee your pc will be 100% safe once we’ve finished.
Let me know how you wish to proceed.
Posted Image
Posted Image

#3 AbeN468

AbeN468
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:06:56 AM

Posted 06 November 2007 - 03:55 PM

Hi RichieUK,
Thanks for the quick response. I haven't entered any sensitive information on that computer since it was infected and it's been disconnected from the internet. Assuming the backdoor was not present prior to that day, I think my passwords and such should be safe. As for whether to clean or reinstall, what I was hoping to do was clean the computer as much as I could so that I felt comfortable backing up most of the data, then I would reformat. I have partitions and a couple hard drives, and it seemed that the infection was limited to my system drive and my temporary files partition. Thankfully, most of the files I would want to back up and carry over after a reformat are on the other drives. So I'd basically like to try cleaning first, and this weekend when I have time I'd reformat. Or if you feel that cleaning is not necessary prior to backing up my data, then I can just start preparing my computer for a reinstall.
I look forward to hearing what you think,
-Abe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 06 November 2007 - 04:08 PM

Or if you feel that cleaning is not necessary prior to backing up my data, then I can just start preparing my computer for a reinstall.

Lets clean up your system and take it from there.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 AbeN468

AbeN468
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:06:56 AM

Posted 07 November 2007 - 03:06 AM

Hi RichieUK,
Thanks again for the quick response! I went ahead and ran everything as you said. I did notice after running SDFix that my USB keys no longer worked on that computer, which seems odd. For now I'm using a CD-RW that appears to be working fine. I was skimming through the log files and I should probably mention that I did do a couple registry edits myself prior to posting here. The main one I recall was doing a search in the registry for that .exe process i mentioned earlier (think it was vvgeowbv.exe) and found that some Userinit keys had been altered. I ended up erasing the second half of the string entered because it appeared to be altered to run that exe file instead of the normal userinit. I may not be able to respond tomorrow, but I'll check for a reply and post back as soon as I can. Anyway, here are my log files:

SDFIX (Report.txt):

SDFix: Version 1.113

Run by Abe on Tue 11/06/2007 at 11:15 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
noskrnl

ImagePath:
\??\C:\WINDOWS\System32\noskrnl.sys

noskrnl - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 23:19:01
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\3\x00ffC\xffH\xffO\xffO\xffL\xffW0\x01920c0u0\x20390\0020]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3\x00ffC\xffH\xffO\xffO\xffL\xffW0\x01920c0u0\x20390\0020]
"DisplayName"="\xff33\xff43\xff48\xff4f\xff4f\xff4c\x3057\x3083\x3063\x3075\x308b\x3002"
"UninstallString"=""P:\Program Files\\xff33\xff43\xff48\xff4f\xff4fl2\epuninst.exe" /s"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\tgI\x201eh0\ta\xeb_j0\xf2N\x201c\x2022_0a0]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\3\x00ffC\xffH\xffO\xffO\xffL\xffW0\x01920c0u0\x20390\0020]

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

Remaining Files:
---------------


Files with Hidden Attributes:

Mon 4 Sep 2006 199 A.SH. --- "C:\BOOT.BAK"
Tue 17 Aug 2004 0 A..H. --- "C:\Program Files\Windows Media Player\npdrmv6.dll"
Tue 17 Aug 2004 0 A..H. --- "C:\Program Files\Windows Media Player\npdrmv7.dll"
Tue 12 Oct 2004 1,056 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 21 Aug 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 6 Dec 2003 24,576 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL0004.tmp"
Sat 6 Dec 2003 23,552 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL0062.tmp"
Sat 6 Dec 2003 19,456 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL0427.tmp"
Sat 6 Dec 2003 19,456 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL0475.tmp"
Sat 6 Dec 2003 26,112 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL0532.tmp"
Tue 4 Apr 2006 23,040 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL0567.tmp"
Sat 6 Dec 2003 24,576 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL1068.tmp"
Sat 6 Dec 2003 23,552 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL1419.tmp"
Sat 21 May 2005 23,040 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL1484.tmp"
Sat 21 May 2005 23,552 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL1554.tmp"
Tue 9 May 2006 23,040 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL1589.tmp"
Sat 6 Dec 2003 24,576 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL1610.tmp"
Sat 21 May 2005 32,768 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL1787.tmp"
Tue 9 May 2006 22,528 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL1818.tmp"
Sat 6 Dec 2003 26,112 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL1842.tmp"
Sat 21 May 2005 30,208 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL1974.tmp"
Tue 9 May 2006 22,016 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL2202.tmp"
Sat 6 Dec 2003 24,576 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL2666.tmp"
Sat 6 Dec 2003 20,992 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL2798.tmp"
Thu 16 Mar 2006 22,528 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL2881.tmp"
Sat 6 Dec 2003 24,576 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL3007.tmp"
Sat 21 May 2005 24,064 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL3058.tmp"
Tue 4 Apr 2006 23,040 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL3160.tmp"
Sat 6 Dec 2003 20,480 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL3609.tmp"
Thu 16 Mar 2006 23,552 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL3868.tmp"
Sat 21 May 2005 23,552 ...H. --- "C:\Documents and Settings\Abe\Application Data\Microsoft\Word\~WRL4039.tmp"

Finished!

ComboFix (ComboFix.txt):

ComboFix 07-11-07.3 - Abe 2007-11-06 23:44:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.800 [GMT -8:00]
Running from: C:\Documents and Settings\Abe\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\grouppolicy\machine\scripts\scripts.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-06 23:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 23:14 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-04 20:15 <DIR> d-------- C:\HJT
2007-10-12 14:39 <DIR> d-------- C:\Program Files\Game On

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 07:13 --------- d-----w C:\Documents and Settings\Abe\Application Data\U3
2007-11-04 07:27 --------- d-----w C:\Program Files\Symantec
2007-11-04 07:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-04 07:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-03 18:43 --------- d-----w C:\Program Files\Microsoft IntelliPoint 5.0
2007-11-03 18:43 --------- d-----w C:\Program Files\ImgBurn
2007-11-03 18:43 --------- d-----w C:\Program Files\hkSFV
2007-11-03 18:43 --------- d-----w C:\Program Files\Google
2007-11-03 18:43 --------- d-----w C:\Program Files\DVDFab HD Decrypter 3
2007-11-03 18:43 --------- d-----w C:\Program Files\DVD Shrink
2007-11-03 18:43 --------- d-----w C:\Program Files\DVD Genie
2007-11-03 18:43 --------- d-----w C:\Program Files\DVD Decrypter
2007-11-03 18:43 --------- d-----w C:\Program Files\DivX_311alpha
2007-11-03 18:43 --------- d-----w C:\Program Files\DivX
2007-11-03 18:43 --------- d-----w C:\Program Files\Common Files\Raxco
2007-11-03 18:43 --------- d-----w C:\Program Files\Combined Community Codec Pack
2007-11-03 18:43 --------- d-----w C:\Program Files\Blighty Design
2007-11-03 18:43 --------- d-----w C:\Program Files\Azureus
2007-11-03 18:43 --------- d-----w C:\Program Files\AviSynth 2.5
2007-11-03 18:34 --------- d-----w C:\Program Files\Avi2Dvd
2007-09-30 09:43 --------- d-----w C:\Documents and Settings\Abe\Application Data\Azureus
2007-09-19 05:24 --------- d-----w C:\Program Files\Real Alternative
2007-08-13 00:49 720,896 ----a-w C:\WINDOWS\iun6002ev.exe
2006-03-13 02:07 24,192 ----a-w C:\Documents and Settings\Abe\usbsermptxp.sys
2006-03-13 02:07 22,768 ----a-w C:\Documents and Settings\Abe\usbsermpt.sys
2005-05-12 21:37 242,176 ----a-w C:\Documents and Settings\Abe\in_cue.dll
2005-03-26 04:47 4,608 ----a-w C:\Documents and Settings\Abe\gen_cue.dll
2004-02-09 17:29 216 ----a-w C:\Program Files\INSTALL.LOG
2004-10-13 06:42:26 1,056 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2003-03-31 04:00]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-03-31 04:00]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-03-31 04:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"RegKillElbyCheck"="P:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-01 22:33]
"NetLimiter"="P:\Program Files\NetLimiter\NetLimiter.exe" [2004-09-10 23:53]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 16:50]
"nwiz"="nwiz.exe" [2004-10-29 16:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 16:50]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 17:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-12 01:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"SpySweeper"="P:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-02-25 11:48]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\Documents and Settings\Abe\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
trillian.lnk - P:\Program Files\Trillian\trillian.exe [2004-06-23 23:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
DMX 6fire 2496 ControlPanel.lnk - C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe [2004-01-30 21:49:05]
Kirby Alarm.lnk - P:\Program Files\Kirby Alarm\kirbyalarm.exe [2004-01-21 04:25:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Abe^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\Abe\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Abe^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Abe\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MSWin.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSWin.exe
backup=C:\WINDOWS\pss\MSWin.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


R0 Defrag32b;Defrag32Boot;C:\WINDOWS\System32\drivers\Defrag32b.sys
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\System32\DRIVERS\si3112r.sys
R0 sojubus;sojubus;C:\WINDOWS\System32\DRIVERS\sojubus.sys
R0 sojuscsi;sojuscsi;C:\WINDOWS\System32\DRIVERS\sojuscsi.sys
R1 Asapi;Asapi;C:\WINDOWS\System32\drivers\Asapi.sys
R1 NPPTNT;NPPTNT;\??\C:\WINDOWS\System32\npptNT.sys
R1 tvtool;tvtool;\??\P:\Program Files\TVTool\tvtool.sys
R2 Defrag32;Defrag32;C:\WINDOWS\System32\drivers\Defrag32.sys
R3 dmxfire;DMX6fire WDM Audio;C:\WINDOWS\System32\drivers\dmx6fire.sys
R3 dmxsens;dmxsens;C:\WINDOWS\System32\drivers\dmxsens.sys
R3 RegKill;RegKill;C:\WINDOWS\System32\Drivers\RegKill.sys
S0 DigiFilter;DigiFilter;C:\WINDOWS\System32\drivers\DigiFilt.sys
S2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\System32\DRIVERS\diginet.sys
S2 PDSched;PDScheduler;C:\Program Files\Raxco\PerfectDisk\PDSched.exe
S3 Bulk503;Chameleon Mega Digital Camera;C:\WINDOWS\System32\Drivers\Bulk503.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 ISO503;Chameleon Mega Video Camera;C:\WINDOWS\System32\Drivers\ISO503.SYS
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\System32\DRIVERS\ngrpci.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys
S3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\System32\Drivers\Razerlow.sys
S3 RivaTunerEx;RivaTunerEx;\??\C:\Program Files\RivaTuner\RivaTunerEx.sys
S3 SilverLink;Texas Instruments SilverLink (USB GraphLink) Cable;C:\WINDOWS\System32\Drivers\SilvrLnk.sys
S3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\System32\drivers\tbhsd.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 23:45:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\winhelp.exe 256192 bytes
C:\WINDOWS\winhlp32.exe 266752 bytes executable
C:\WINDOWS\winnt.bmp 48680 bytes
C:\WINDOWS\winnt256.bmp 48680 bytes
C:\WINDOWS\WINNT32.LOG 14813 bytes
C:\WINDOWS\WinSxS
C:\WINDOWS\wmsetup.log 284612 bytes
C:\WINDOWS\WMSysPr9.prx 316640 bytes
C:\WINDOWS\WMSysPrx.prx 299552 bytes
C:\WINDOWS\WORDPAD.INI 754 bytes
C:\WINDOWS\wsdu.log 35143 bytes
C:\WINDOWS\xpsp1hfm.log 7491 bytes
C:\WINDOWS\Zapotec.bmp 9522 bytes
C:\WINDOWS\_default.pif 707 bytes
C:\WINDOWS\_ISTMP1.DIR
C:\WINDOWS\Winamp.ini 192 bytes
C:\WINDOWS\winampa.ini 41 bytes
C:\WINDOWS\Windows Update.log 167320 bytes
C:\WINDOWS\WindowsShell.Manifest 749 bytes
C:\WINDOWS\WindowsUpdate.log 997427 bytes

scan completed successfully
hidden files: 20

**************************************************************************
.
Completion time: 2007-11-06 23:45:55
.
--- E O F ---


Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:35 PM, on 11/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
P:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
P:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - P:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "P:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [NetLimiter] P:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] "P:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: trillian.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Kirby Alarm.lnk = P:\Program Files\Kirby Alarm\kirbyalarm.exe
O8 - Extra context menu item: Download All by FlashGet - P:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - P:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5775 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 07 November 2007 - 04:19 AM

Please temporarily disable SpySweeper as it will interfere.
You can enable it after your system is clean:

http://wiki.castlecops.com/Malware_Removal...toring_Programs

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MSWin.exe]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 AbeN468

AbeN468
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:06:56 AM

Posted 09 November 2007 - 10:27 AM

Hi Richie, sorry it took so long to post back here. That scan took overnight. I did notice that several of the things it detected would not let me choose the option to Disinfect Now. Mostly the archive files, but not all of them. I do think some of the things it is detecting are falsely detected, but I may as well get rid of them anyway. The one archive file called blankexeunderwindowsfolder.zip was something I personally created when I went into Safe Mode and logged in under the Administrator account. My own account has Administrator access, but I guess under Safe Mode two separate ones show up and I couldn't access folders under Documents and Settings/Administrator, so I switched over. There was a file under the windows folder that was just called .exe, but it didn't have the same last date modified as the other things. It seemed fishy though, so I deleted it and then backed up a copy in that zip folder in case it was something legitimate. Let me know if you think most of these are falsely detected or they are actual Trojans because some of those files I've had on my computer for a while like Networx, Fraps, and a couple others although I don't really use any of these things listed below.


Thursday, November 08, 2007 20:59:12 - 07:12:59

Computer name: ABE-N
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ P:\ Q:\ T:\ X:\ Z:\
Result: 15 malware found
HackTool.Win32.XScan.31 (virus)

* X:\Applications\X-Scan\X-Scan-v3.1-en.rar\X-Scan-v3.1\Update.exe
* X:\Applications\X-Scan\X-Scan-v3.1-en.rar\X-Scan-v3.1\Xscan.exe
* X:\Applications\X-Scan\X-Scan-v3.1-en.rar\X-Scan-v3.1\xscan_gui.exe
* X:\Applications\X-Scan\X-Scan-v3.1.rar\X-Scan-v3.1\Xscan.exe
* X:\Applications\X-Scan\X-Scan-v3.1.rar\X-Scan-v3.1\xscan_gui.exe

Toolbar.Softo (spyware)

* System (Disinfected)

Trojan-Downloader.Win32.Murlo.eb (virus)

* C:\WINDOWS\pss\MSWin.exeCommon Startup (Renamed & Submitted)

Trojan-Dropper.Win32.Delf.vt (virus)

* P:\Program Files\eMule\Incoming\MorphVOX - Voice Changer 2.8 crack.rar\crack.exe

Trojan-Dropper.Win32.Delf.xo (virus)

* P:\Program Files\eMule\Incoming\New Folder\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY.zip\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY\azeroth.exe
* P:\Program Files\eMule\Incoming\New Folder\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY.zip\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY\outland.exe

Trojan-Dropper.Win32.VB.tg (virus)

* C:\Documents and Settings\Administrator\Desktop\blankexeunderwindowsfolder.zip\.exe

W32/DLoader.AWYO (virus)

* P:\Program Files\Fraps\fraps.exe (Submitted)

W32/VBTroj.ELL (virus)

* C:\Documents and Settings\Abe\Desktop\Wireless\Testing Programs\networx.exe (Submitted)
* P:\Program Files\NetWorx\uninst.exe (Submitted)

Win32.Spyware.Acoona (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 299161
* System: 4494
* Not scanned: 61

Actions:

* Disinfected: 2
* Renamed: 1
* Deleted: 0
* None: 12
* Submitted: 4

Files not scanned:

H

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-11-06
* F-Secure AVP: 7.0.171, 2007-11-09
* F-Secure Orion: 1.2.37, 2007-11-08
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0597-150-72
* F-Secure Pegasus: 1.19.0, 2007-10-05

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics



And here's the HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:17 AM, on 11/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
P:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
P:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - P:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "P:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [NetLimiter] P:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Kirby Alarm.lnk = P:\Program Files\Kirby Alarm\kirbyalarm.exe
O8 - Extra context menu item: Download All by FlashGet - P:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - P:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5701 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 09 November 2007 - 11:09 AM

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#9 AbeN468

AbeN468
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:06:56 AM

Posted 09 November 2007 - 05:46 PM

Hi Richie, I went ahead and followed your instructions. The logs are pasted below. I was wondering if anything needs to be done about some of the non-fixed viruses/spyware that showed up under F-Secure or if those were mostly false positives. It didn't let me correct those I think because they were inside archives. My computer seems to be working fine. Most of my processes look normal. Alg.exe started popping up, which didn't used to, but I think that's a normal windows process. My USB keys started working again as well. Let me know if there's anything else I need to do. My goal is to clean as much as possible and then start backing up essential files since I'm probably going to reformat. Thanks again for all the help you've offered!

Here's the SUPERAntiSpyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/09/2007 at 10:50 AM

Application Version : 3.9.1008

Core Rules Database Version : 3341
Trace Rules Database Version: 1342

Scan type : Complete Scan
Total Scan Time : 00:38:05

Memory items scanned : 320
Memory threats detected : 0
Registry items scanned : 5304
Registry threats detected : 0
File items scanned : 43158
File threats detected : 0


And here's another HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:01 PM, on 11/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
P:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
P:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - P:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "P:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [NetLimiter] P:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Kirby Alarm.lnk = P:\Program Files\Kirby Alarm\kirbyalarm.exe
O8 - Extra context menu item: Download All by FlashGet - P:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - P:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5232 bytes

Edited by AbeN468, 09 November 2007 - 05:47 PM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 09 November 2007 - 06:08 PM

You've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/


You should install a firewall.
You may be behind a hardware firewall(router/NAT),but it would'nt hurt to install a third party software firewall to henhance protection.
Download\install one of the following freeware firewalls from below:

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/

Zone Alarm Free:
http://download.zonelabs.com/bin/free/1001..._737_000_en.exe

Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/

Outpost Firewall Free:
http://www.agnitum.com/products/outpostfree/index.php

You should take the time to read the following:
Understanding and Using Firewalls
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste the contents of that file into your next reply.
Posted Image
Posted Image

#11 AbeN468

AbeN468
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:06:56 AM

Posted 10 November 2007 - 04:38 PM

Hi Richie,
I went ahead and installed Avast and Comodo Firewall. I am usually behind a router, but because I didn't want to be on the same network with the other computers in the house I went ahead and connected directly to the modem for now, so a firewall would be good. Problem is when I have a connection they don't, so I won't get a chance to do the online Kaspersky WebScanner until tonight, but I thought I should go ahead and post these logs for now. I'm also not sure if its needed since I thought Avast and Kaspersky used the same antivirus engine. Let me know.

When I reinstall I may consider switching to AVG and ZoneAlarm though. I heard AVG is a little less resource intensive and works just as fine. I did a boot scan when I first installed Avast and have a log file for that. And then I updated the virus database and did another full thorough scan with searching in archives. Everything detected with Avast I deleted and if it had trouble deleting it because it was in an archive I just deleted that entire archive manually. The 0phcrack I downloaded myself a while back to help a friend who forgot their windows login password, but I deleted it anyway. The other archives I'm not too sure about. I don't even know what X-scan is, so I just deleted all of those. Thanks again for all the help and here are the logs:

Avast - Boot Scan (w/o updates)

11/09/2007 19:11
Scan of all local drives
File C:\WINDOWS\pss\MSWin.0xeCommon Startup is infected by Win32:Agent-EQW [Trj], Deleted
File P:\Program Files\Winny2b66\Winny2\Winny.exe is infected by Win32:Trojan-gen. {Other}, Deleted
File P:\System Volume Information\_restore{4C39CED7-D81A-4191-8C62-620E282BCD96}\RP2186\A0158109.exe is infected by Win32:Trojan-gen. {Other}, Deleted
File Z:\System Volume Information\_restore{2B793FEE-A971-4457-9033-C682FF25A2ED}\RP86\A0007929.dll is infected by Win32:IRC-Flood [Drp], Repair: Error 42060 {The file was not repaired.}, Deleted

Number of searched folders: 8242
Number of tested files: 103332
Number of infected files: 4


Avast - Thorough Scan + Archives (w/ updates)

11/9/2007 10:24:22 PM 1194675862 Abe 2644 Sign of "Win32:Pwdump [Tool]" has been found in "C:\Documents and Settings\Abe\Desktop\WoW Fonts\Ophcrack\ophcrack-livecd-1.1.3.iso\ophcrack\ophcrack-win32-installer-2.3.3.exe\{app}\win32_tools\samdump.dll" file.
11/9/2007 10:26:35 PM 1194675995 Abe 2644 Sign of "Win32:Trojan-gen {VC}" has been found in "C:\Documents and Settings\Abe\Desktop\WoW Fonts\Ophcrack\ophcrack-livecd-1.1.3.iso\ophcrack\ophcrack-win32-installer-2.3.3.exe\{app}\win32_tools\pwservice.exe" file.
11/9/2007 11:24:36 PM 1194679476 Abe 2644 Sign of "Win32:Trojan-gen {UPX}" has been found in "P:\Program Files\eMule\Incoming\MorphVOX - Voice Changer 2.8 crack.rar\crack.exe" file.
11/10/2007 12:25:25 AM 1194683125 Abe 2644 Sign of "Win32:Agent-EPY [Trj]" has been found in "P:\Program Files\eMule\Incoming\New Folder\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY.zip\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY\azeroth.exe\[Embedded#FIRSTFILE]" file.
11/10/2007 12:27:28 AM 1194683248 Abe 2644 Sign of "Win32:Delf-BPI [Trj]" has been found in "P:\Program Files\eMule\Incoming\New Folder\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY.zip\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY\azeroth.exe" file.
11/10/2007 12:27:32 AM 1194683252 Abe 2644 Sign of "Win32:Agent-EPY [Trj]" has been found in "P:\Program Files\eMule\Incoming\New Folder\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY.zip\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY\outland.exe\[Embedded#FIRSTFILE]" file.
11/10/2007 12:27:41 AM 1194683261 Abe 2644 Sign of "Win32:Delf-BPI [Trj]" has been found in "P:\Program Files\eMule\Incoming\New Folder\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY.zip\Joanas.Horde.Leveling.Guide.1-70.GameGuide-LAXiTY\outland.exe" file.
11/10/2007 12:49:41 AM 1194684581 Abe 2644 Sign of "Win32:Trojan-gen {Other}" has been found in "P:\Program Files\Sysreset 2.53\download\Winny2b66.zip\Winny2\Winny.exe" file.
11/10/2007 4:57:45 AM 1194699465 Abe 2644 Sign of "Win32:PurityScan-Z [Trj]" has been found in "X:\Applications\X-Scan\X-Scan-v3.1-en.rar\X-Scan-v3.1\plugins\nasl.xpn" file.
11/10/2007 10:04:16 AM 1194717856 Abe 2644 Sign of "Win32:Agent-HVP [Wrm]" has been found in "X:\Applications\X-Scan\X-Scan-v3.1-en.rar\X-Scan-v3.1\Xscan.exe" file.
11/10/2007 10:04:22 AM 1194717862 Abe 2644 Sign of "Win32:PurityScan-Z [Trj]" has been found in "X:\Applications\X-Scan\X-Scan-v3.1.rar\X-Scan-v3.1\plugins\nasl.xpn" file.
11/10/2007 10:04:29 AM 1194717869 Abe 2644 Sign of "Win32:Agent-HVP [Wrm]" has been found in "X:\Applications\X-Scan\X-Scan-v3.1.rar\X-Scan-v3.1\Xscan.exe" file.


And another HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:49 PM, on 11/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
P:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
P:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Razer\razerofa.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - P:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "P:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [NetLimiter] P:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Kirby Alarm.lnk = P:\Program Files\Kirby Alarm\kirbyalarm.exe
O8 - Extra context menu item: Download All by FlashGet - P:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - P:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6329 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 10 November 2007 - 07:34 PM

I would appreciate it if you would run the Kaspersky Online Scanner anyway if you would please.
Posted Image
Posted Image

#13 AbeN468

AbeN468
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:06:56 AM

Posted 11 November 2007 - 02:58 AM

Hi Richie,
I managed to get the scan done and I have the report file here:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 10, 2007 11:54:29 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/11/2007
Kaspersky Anti-Virus database records: 427964
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
P:\
Q:\
S:\
T:\
U:\
X:\
Z:\

Scan Statistics:
Total number of scanned objects: 103405
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:52:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Abe\Application Data\Mozilla\Firefox\Profiles\ibzra8t3.default\cert8.db Object is locked skipped
C:\Documents and Settings\Abe\Application Data\Mozilla\Firefox\Profiles\ibzra8t3.default\history.dat Object is locked skipped
C:\Documents and Settings\Abe\Application Data\Mozilla\Firefox\Profiles\ibzra8t3.default\key3.db Object is locked skipped
C:\Documents and Settings\Abe\Application Data\Mozilla\Firefox\Profiles\ibzra8t3.default\parent.lock Object is locked skipped
C:\Documents and Settings\Abe\Application Data\Mozilla\Firefox\Profiles\ibzra8t3.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Abe\Application Data\Mozilla\Firefox\Profiles\ibzra8t3.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Abe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Abe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Abe\Local Settings\Application Data\Mozilla\Firefox\Profiles\ibzra8t3.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Abe\Local Settings\Application Data\Mozilla\Firefox\Profiles\ibzra8t3.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Abe\Local Settings\Application Data\Mozilla\Firefox\Profiles\ibzra8t3.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Abe\Local Settings\Application Data\Mozilla\Firefox\Profiles\ibzra8t3.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Abe\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Abe\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\blankexeunderwindowsfolder.zip/.exe Infected: Trojan-Dropper.Win32.VB.tg skipped
C:\Documents and Settings\Administrator\Desktop\blankexeunderwindowsfolder.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.log Object is locked skipped
C:\System Volume Information\_restore{4C39CED7-D81A-4191-8C62-620E282BCD96}\RP2187\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\MEMORY.DMP Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
P:\Program Files\Kirby Alarm\ALARMS.TPS Object is locked skipped
T:\Documents and Settings\Abe\Cookies\index.dat Object is locked skipped
T:\Documents and Settings\Abe\History\History.IE5\index.dat Object is locked skipped
T:\Documents and Settings\Abe\TEMP\~DF2317.tmp Object is locked skipped
T:\Documents and Settings\Abe\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
T:\TEMP\Perflib_Perfdata_4e0.dat Object is locked skipped
T:\TEMP\_avast4_\Webshlock.txt Object is locked skipped
T:\TEMP\_av_proI.tm~a03416\dld1.tmp Object is locked skipped
T:\TEMP\_av_proI.tm~a03416\setup.lok Object is locked skipped
X:\Applications\X-Scan\X-Scan-v3.1-en.rar/X-Scan-v3.1/Update.exe Infected: HackTool.Win32.XScan.31 skipped
X:\Applications\X-Scan\X-Scan-v3.1-en.rar/X-Scan-v3.1/xscan_gui.exe Infected: HackTool.Win32.XScan.31 skipped
X:\Applications\X-Scan\X-Scan-v3.1-en.rar RAR: infected - 2 skipped
X:\Applications\X-Scan\X-Scan-v3.1.rar/X-Scan-v3.1/xscan_gui.exe Infected: HackTool.Win32.XScan.31 skipped
X:\Applications\X-Scan\X-Scan-v3.1.rar RAR: infected - 1 skipped

Scan process completed.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 11 November 2007 - 05:32 AM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Documents and Settings\Administrator\Desktop\blankexeunderwindowsfolder.zip
X:\Applications\X-Scan

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Also post a new Hijackthis log please.
Let me know how your pc is running now.
Posted Image
Posted Image

#15 AbeN468

AbeN468
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:06:56 AM

Posted 11 November 2007 - 01:49 PM

Hi Richie,
It seems that the program worked successfully on the first try.

Here's the OTMoveIt results

C:\Documents and Settings\Administrator\Desktop\blankexeunderwindowsfolder.zip moved successfully.
X:\Applications\X-Scan moved successfully.

Created on 11/11/2007 10:46:42


And the HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:06 AM, on 11/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
P:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
P:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - P:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "P:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [NetLimiter] P:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Kirby Alarm.lnk = P:\Program Files\Kirby Alarm\kirbyalarm.exe
O8 - Extra context menu item: Download All by FlashGet - P:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - P:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - P:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6438 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users