Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.coreservice


  • Please log in to reply
53 replies to this topic

#1 KKelvin

KKelvin

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 11 January 2008 - 08:38 PM

I'm getting random popups. When i run spybot in safemode it detects no problems, but when i run in normal mode the only thing it couldn't fix was Smitfraud-C.CoreService C:\WINDOWS\system32\drivers\core.cache.dsk .

I ran VundoFix and it no longer have any files to remove, but im still getting popups.
I used SDfix in safemode, still ddnt fix it.
Also used SmitFraudfix (normal mode), still ddnt fix it.

Not sure what to do. I tried manually deleting "core.cache" in the "C:\WINDOWS\system32\drivers" but it says "Cannot delete core.cache: It is being used by another person or program. Close any programs that might be using the file and try again."

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:20 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\VundoFix.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {D53DF4A8-8413-4AC8-93B2-01435EC0CBBC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://qcmail.qc.cuny.edu/dwa7W.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Security Service (TEOU) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe

--
End of file - 6514 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 12 January 2008 - 06:32 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum KKelvin
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed,which is somewhat suicidal.
Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Download FindAWF.exe and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Copy and paste the contents of the AWF.txt file in your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 13 January 2008 - 01:37 AM

Avira Antivirus Report File

AntiVir PersonalEdition Classic
Report file date: Saturday, January 12, 2008 14:13

Scanning for 1027920 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: YOUR-XHTR8HVC4P

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:11:04
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 19:11:04
ANTIVIR2.VDF : 7.0.1.205 620544 Bytes 1/8/2008 19:11:04
ANTIVIR3.VDF : 7.0.1.227 161280 Bytes 1/11/2008 19:11:04
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 1/12/2008 19:11:06
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.6.0.2 360488 Bytes 1/12/2008 19:11:06
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Saturday, January 12, 2008 14:13

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msdtc.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'swdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svcntaux.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'SpamSubtract.exe' - '1' Module(s) have been scanned
Scan process 'BackWeb-137903.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'SDTrayApp.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
35 processes with 35 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '23' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoTBar.exe
[DETECTION] Is the Trojan horse TR/Agent.duu
[INFO] The file was deleted!
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoTBar.exe
[DETECTION] Is the Trojan horse TR/Agent.duu
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QCW77CS2\tconv[1].exe
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\cnte-dhncgts.jar-119ad3ed-2a12824d.zip
[0] Archive type: ZIP
--> Dnnny.class
[DETECTION] Contains detection pattern of the Java virus JAVA/Exploit.Bytverify.5
--> Den.class
[DETECTION] Is the Trojan horse TR/Exploit.Bytverify
[INFO] The file was deleted!
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\cnte-dhncgts.jar-761ad59b-346c6489.zip
[0] Archive type: ZIP
--> Dnnny.class
[DETECTION] Contains detection pattern of the Java virus JAVA/Exploit.Bytverify.5
--> Den.class
[DETECTION] Is the Trojan horse TR/Exploit.Bytverify
[INFO] The file was deleted!
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\nRT.jar-1d5ec957-798ed050.zip
[0] Archive type: ZIP
--> HiPointInstallShieldRT.class
[DETECTION] Is the Trojan horse TR/Java.Downloader.Gen
[INFO] The file was deleted!
C:\hp\bin\AUTOTKIT.EXE
[DETECTION] Is the Trojan horse TR/Agent.duu
[INFO] The file was deleted!
C:\hp\EXPLOREBAR\AUTOTKIT.EXE
[DETECTION] Is the Trojan horse TR/Agent.duu
[INFO] The file was deleted!
C:\Program Files\WinBudget\bin\crap.1197670854.old
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47ea1ab3.qua'!
C:\Program Files\WinBudget\bin\crap.1198297561.old
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47ea1ab4.qua'!
C:\Program Files\WinBudget\bin\matrix.dll
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47fd1aa4.qua'!
C:\Program Files\WinBudget\bin\matrix.dll.1198297560.old
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4658d5bd.qua'!
C:\SDFix\backups\backups.zip
[0] Archive type: ZIP
--> backups/b122.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.haq.2
[INFO] The file was deleted!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP2\A0000039.exe
[DETECTION] Contains detection pattern of the dropper DR/Drop.Agent.bfr
[INFO] The file was deleted!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP2\A0000040.exe
[DETECTION] Contains detection pattern of the dropper DR/Softomate.U.67
[INFO] The file was deleted!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP2\A0004167.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.haq.2
[INFO] The file was deleted!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP5\A0004253.exe
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP6\A0006270.exe
[DETECTION] Is the Trojan horse TR/Agent.duu
[INFO] The file was deleted!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP6\A0006271.exe
[DETECTION] Is the Trojan horse TR/Agent.duu
[INFO] The file was deleted!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP6\A0006272.EXE
[DETECTION] Is the Trojan horse TR/Agent.duu
[INFO] The file was deleted!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP6\A0006273.EXE
[DETECTION] Is the Trojan horse TR/Agent.duu
[INFO] The file was deleted!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP6\A0006274.old
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47b91ab5.qua'!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP6\A0006275.old
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47b91ab6.qua'!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP6\A0006276.dll
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '461cd5af.qua'!
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP6\A0006277.old
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47b91aa8.qua'!
C:\WINDOWS\system32\TmpX.exe
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\drivers\ndistapii.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\' <HP_RECOVERY>


End of the scan: Saturday, January 12, 2008 15:28
Used time: 1:15:29 min

The scan has been done completely.

6462 Scanning directories
371688 Files were scanned
19 viruses and/or unwanted programs were found
9 Files were classified as suspicious:
18 files were deleted
0 files were repaired
8 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
371669 Files not concerned
18955 Archives were scanned
3 Warnings
5 Notes



Contents of C:\ComboFix.txt

ComboFix 08-01-09.2 - Owner 2008-01-13 1:02:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.91 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\FNTS~1
C:\Program Files\Common Files\ssembl~1
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1194015181.old
C:\Program Files\WinBudget\bin\crap.1194646619.old
C:\Program Files\WinBudget\bin\crap.1195252700.old
C:\Program Files\WinBudget\bin\crap.1195957248.old
C:\Program Files\WinBudget\bin\crap.1197182986.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll.1194646619.old
C:\Program Files\WinBudget\bin\matrix.dll.1195252700.old
C:\Program Files\WinBudget\bin\matrix.dll.1195957248.old
C:\Program Files\WinBudget\bin\matrix.dll.1197182986.old
C:\Program Files\WinBudget\bin\matrix.dll.1197670854.old
C:\temp\tn3
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\system32\ymbols~1\?ymbols\
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 01:11 . 2008-01-13 01:11 <DIR> d-------- C:\Temp\tn3
2008-01-13 01:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 14:07 . 2008-01-12 14:07 <DIR> d-------- C:\Program Files\Avira
2008-01-12 14:07 . 2008-01-12 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-12 13:31 . 2008-01-13 01:10 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-11 20:31 . 2008-01-11 21:59 189 --a------ C:\WINDOWS\wininit.ini
2008-01-11 19:54 . 2008-01-11 19:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-11 19:49 . 2008-01-11 19:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 19:18 . 2008-01-11 19:18 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-01-11 19:18 . 2008-01-13 01:12 114 --a------ C:\WINDOWS\system32\url3
2008-01-11 19:18 . 2008-01-13 01:12 102 --a------ C:\WINDOWS\system32\url2
2008-01-11 19:18 . 2008-01-13 01:12 102 --a------ C:\WINDOWS\system32\url1
2008-01-11 19:18 . 2008-01-13 01:12 8 --a------ C:\WINDOWS\system32\CID
2008-01-11 19:18 . 2008-01-11 19:18 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-11 19:17 . 2008-01-11 19:17 34,816 --a------ C:\info.exe
2008-01-11 19:16 . 2008-01-13 01:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-11 19:16 . 2008-01-11 19:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-11 18:58 . 2008-01-11 18:58 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-11 18:57 . 2008-01-11 18:58 <DIR> d-------- C:\Program Files\CCleaner
2008-01-11 17:58 . 2008-01-11 17:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-11 16:35 . 2008-01-11 16:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-11 15:45 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-11 15:45 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-11 15:45 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-11 15:45 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-11 15:45 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-11 15:45 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-11 15:45 . 2008-01-11 19:12 490 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-11 02:18 . 2008-01-11 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-11 02:17 . 2008-01-12 02:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-11 02:17 . 2008-01-11 02:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-11 02:09 . 2008-01-11 19:07 <DIR> d-------- C:\VundoFix Backups
2008-01-10 19:16 . 2008-01-12 02:24 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-01-10 03:29 . 2008-01-10 03:29 86,016 --a------ C:\WINDOWS\system32\drivers\ndistapii.sys
2008-01-10 03:28 . 2008-01-10 05:01 <DIR> d-------- C:\WINDOWS\system32\vt8
2008-01-10 03:28 . 2008-01-10 05:01 <DIR> d-------- C:\WINDOWS\system32\mp2
2008-01-10 03:28 . 2008-01-10 18:59 <DIR> d-------- C:\WINDOWS\system32\ez4
2008-01-10 03:28 . 2008-01-10 23:19 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-10 03:28 . 2008-01-10 03:28 <DIR> d-------- C:\WINDOWS\system32\che9
2008-01-10 03:28 . 2008-01-10 03:29 <DIR> d-------- C:\Temp\Ryuan1
2008-01-10 03:28 . 2008-01-13 01:11 <DIR> d-------- C:\Temp
2008-01-03 04:09 . 2008-01-03 04:09 <DIR> d-------- C:\Documents and Settings\Owner\.dwa_store
2008-01-03 03:33 . 2008-01-03 03:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2008-01-03 02:06 . 2008-01-13 00:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 01:55 . 2008-01-11 04:23 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-03 01:55 . 2008-01-03 01:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-01-03 01:55 . 2008-01-13 01:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-03 01:55 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-03 01:55 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-03 01:55 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-03 01:55 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-03 01:55 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-03 01:53 . 2008-01-03 01:53 <DIR> d-------- C:\Program Files\Google
2008-01-03 01:53 . 2008-01-13 00:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-14 17:25 . 2007-12-14 17:25 15 --a------ C:\WINDOWS\DBF8-B775-9E63-B1C0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 00:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 00:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-12 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-11 06:52 --------- d-----w C:\Program Files\QuickTime
2008-01-11 00:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Viewpoint
2008-01-11 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-10 07:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-01-10 07:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-01-10 04:58 --------- d-----w C:\Program Files\Warcraft III
2008-01-03 07:17 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-12-20 05:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2006-06-04 02:37 56 -csh--r C:\WINDOWS\system32\957F787228.sys
.
<pre>
----a-w		   286,720 2008-01-11 06:52:30  C:\Program Files\QuickTime\qttask .exe
----a-w		 1,065,288 2008-01-11 09:23:22  C:\Program Files\Spyware Doctor\SDTrayApp .exe
----a-w		 1,318,912 2008-01-11 09:26:03  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
</pre>


((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D53DF4A8-8413-4AC8-93B2-01435EC0CBBC}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe" [2008-01-11 04:26 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 13:19 4841472]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2008-01-11 13:45 1065288]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56 158208]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"nwiz"="nwiz.exe" [2003-07-28 13:19 323584 C:\WINDOWS\system32\nwiz.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44 271672]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-12 14:11 249896]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-08-28 22:19:10]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-08-23 22:34:35]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-09-29 15:22 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 19:24 50760 C:\Program Files\Common Files\AOL\1139185461\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\jkkjh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2003-07-28 13:19 49152 C:\WINDOWS\System32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\system32\winupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-06-27 22:22 1258744 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-11-30 16:31 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

R1 ndistapii;ndistapii;C:\WINDOWS\system32\drivers\ndistapii.sys [2008-01-10 03:29]
R2 TEOU;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-01-11 19:17]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-11 08:00:06 C:\WINDOWS\Tasks\SpywareRemover Scheduled Scan.job"
- C:\Program Files\SpywareRemover\SpywareRemover.ex
- C:\Program Files\SpywareRemover
"2006-02-06 21:32:13 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 01:12:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 1:17:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 06:17:54
.
2008-01-09 08:02:49 --- E O F ---




Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sun 01/13/2008
The current time is: 1:34:53.06


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\MULTIM~1\BAK

08/09/2003 11:27 AM 139,264 shwicon2k.exe
1 File(s) 139,264 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/13/2002 11:42 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

01/03/2008 04:37 AM 183 hpsysdrv.DAT
05/07/1998 06:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,919 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

04/07/2003 09:07 AM 114,688 hkcmd.exe
10/16/2002 06:57 PM 81,920 ps2.exe
2 File(s) 196,608 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 11:59 AM 124,520 IPHSend.exe
1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/16/2006 01:55 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

02/13/2003 10:01 AM 155,648 sgtray.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\BIN\BAK

06/22/2003 11:25 PM 24,576 backupnotify.exe
1 File(s) 24,576 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

10/07/2002 09:23 AM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/04/2004 10:46 AM 172,032 hpztsb10.exe
1 File(s) 172,032 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
139264 Aug 9 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
1464 Oct 11 2007 "C:\WINDOWS\system\hpsysdrv.dat"
183 Jan 3 2008 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
180269 Aug 16 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
155648 Feb 13 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
24576 Jun 22 2003 "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\bak\backupnotify.exe"
90112 Oct 7 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
172032 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb10.exe"


end of report

#4 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 13 January 2008 - 01:39 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:57 AM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {D53DF4A8-8413-4AC8-93B2-01435EC0CBBC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://qcmail.qc.cuny.edu/dwa7W.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Security Service (TEOU) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe

--
End of file - 7108 bytes

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 13 January 2008 - 07:46 AM

Double-click FindAWF.exe to start the tool.
Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
A text file will open up.
Please copy and paste the following bold text inside the quote box below into the text file:

"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
"C:\WINDOWS\system\bak\hpsysdrv.DAT"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\ps2.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\bak\backupnotify.exe"
"C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb10.exe"


Close the files.txt and click Yes to save the changes.
FindAWF will now terminate the bad processes if running, delete the bad files and restore/replace them with the good files.
Then it will open a log.
Copy and paste the contents of that log in your next reply.


Download RenV.exe to your desktop,double click to run it:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
When its finished it will produce a Log.
Please post the contents of that Log into your next reply.
Posted Image
Posted Image

#6 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 13 January 2008 - 02:37 PM

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Sun 01/13/2008
The current time is: 14:33:32.68


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\MULTIM~1\BAK

08/09/2003 11:27 AM 139,264 shwicon2k.exe
1 File(s) 139,264 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/13/2002 11:42 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

01/03/2008 04:37 AM 183 hpsysdrv.DAT
05/07/1998 06:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,919 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

04/07/2003 09:07 AM 114,688 hkcmd.exe
10/16/2002 06:57 PM 81,920 ps2.exe
2 File(s) 196,608 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 11:59 AM 124,520 IPHSend.exe
1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/16/2006 01:55 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

02/13/2003 10:01 AM 155,648 sgtray.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\BIN\BAK

06/22/2003 11:25 PM 24,576 backupnotify.exe
1 File(s) 24,576 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

10/07/2002 09:23 AM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/04/2004 10:46 AM 172,032 hpztsb10.exe
1 File(s) 172,032 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
139264 Aug 9 2003 "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
139264 Aug 9 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
183 Jan 3 2008 "C:\WINDOWS\system\hpsysdrv.DAT"
183 Jan 3 2008 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
180269 Aug 16 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Aug 16 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
155648 Feb 13 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
155648 Feb 13 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
24576 Jun 22 2003 "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe"
24576 Jun 22 2003 "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\bak\backupnotify.exe"
90112 Oct 7 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
90112 Oct 7 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
172032 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe"
172032 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb10.exe"


end of report

#7 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 13 January 2008 - 02:38 PM

Ran on Sun 01/13/2008 - 14:38:02.54



----a-w		   286,720 2008-01-11 06:52:30  C:\Program Files\QuickTime\qttask .exe

----a-w		 1,065,288 2008-01-11 09:23:22  C:\Program Files\Spyware Doctor\SDTrayApp .exe

----a-w		 1,318,912 2008-01-11 09:26:03  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe



 Entries:				3  (3)

 Directories:			0  Files:			 3

 Bytes:		  2,670,920  Blocks:		5,217


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 13 January 2008 - 04:47 PM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\hp\KBD\bak
C:\Program Files\Multimedia Card Reader\bak
C:\WINDOWS\system\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Common Files\AOL\IPHSend\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\bak
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Posted Image
Refering to the picture above, drag Log.txt into RenV.exe
When finished, it shall produce a new log for you.
Post that log in your next reply.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html

Double-click on the FindAWF.exe again to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Copy and paste the contents of the AWF.txt file in your next reply.
Posted Image
Posted Image

#9 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 13 January 2008 - 05:18 PM

Folder move failed. C:\hp\KBD\bak scheduled to be moved on reboot.
C:\Program Files\Multimedia Card Reader\bak moved successfully.
C:\WINDOWS\system\bak moved successfully.
C:\Program Files\HP\hpcoretech\bak moved successfully.
C:\Program Files\HP\HP Software Update\bak moved successfully.
C:\Program Files\Common Files\AOL\IPHSend\bak moved successfully.
C:\Program Files\Common Files\Real\Update_OB\bak moved successfully.
C:\Program Files\Common Files\Sonic\Update Manager\bak moved successfully.
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\bak moved successfully.
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak moved successfully.
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak moved successfully.

OTMoveIt2 v1.0.6 log created on 01132008_171754

#10 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 13 January 2008 - 05:26 PM

Ran on Sun 01/13/2008 - 17:24:42.48



------w		 1,065,288 2008-01-11 09:23:22  C:\Program Files\Spyware Doctor\SDTrayApp .exe



 Entries:				1  (1)

 Directories:			0  Files:			 1

 Bytes:		  1,065,288  Blocks:		2,081


#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 13 January 2008 - 05:40 PM

Thanks,carry on with the Kaspersky Online Scanner instructions now if you will.
Posted Image
Posted Image

#12 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 13 January 2008 - 06:13 PM

Not so sure about this whole part:
"Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run. "

I installed the scanner from the link you gave using IE. But i didn't do the Scan settings part. I could not find
" Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases"

I am scanning "My computer" right now, i did not scan critical ares or startup objects.

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 13 January 2008 - 06:26 PM

Post the scan report when you're done please.
Posted Image
Posted Image

#14 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 14 January 2008 - 12:06 AM

I'm having trouble pasting the kaspersky.txt
Everytime i paste it on the reply the browser will go " Not responding" and just freeze, until i end task.
Also my computer and internet seems to be running slower than before.

I did complete the scan, and i deleted the detected files or whatever. I have 2 txt. One before i deleted the infections and one after i did the deletions.

Anyhelp on how i can post the kaspersky.txt would be nice. I restrted twice alrdy and everytime i try pasting it gives me the "not responding message."

#15 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 14 January 2008 - 12:44 AM

Ok so i tried to send the txt scan report to another computer and post it, but the same thing happened. The txt is pretty long. I keep getting the "Not responding" message every attempt.

So here is just a small portion of the scan report: (The beginning and the ending)
99% - Scan My Computer
----------------------
Scanned: 331899
Detected: 7
Untreated: 6
Start time: 1/13/2008 6:08:20 PM
Duration: 02:44:26
Finish time: Unknown
Signatures published: 1/13/2008 3:09:07 PM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1\A0000003.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP2\A0000018.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP2\A0000029.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP2\A0000031.exe
detected: Trojan program Trojan-Downloader.Java.Agent.f File: C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0d96-51ce2511.zip/vlocal.class
detected: Trojan program Trojan-Downloader.Java.Agent.f File: C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0dc2-65b69eeb.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0e0e-5e99f8f0.zip

Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------
All objects 118332 7 7 0 0 6763 174 53 0
System memory 2185 0 0 0 0 0 0 0 0
Startup objects 464 0 0 0 0 0 3 0 0
System Backup storage 3626 4 4 0 0 33 26 0 0
All hard drives 112057 3 3 0 0 6730 145 53 0
All removable drives 0 0 0 0 0 0 0 0 0


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Record information about dangerous objects to program statistics Yes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users