Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.tiny.abk


  • Please log in to reply
18 replies to this topic

#1 goofed up

goofed up

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 16 February 2008 - 12:58 AM

Long story short, downloaded virus, it got worse, bottom of curve: background loaded everything froze, firewall wouldn't load, HJT and Spybot wouldn't start. Whatever I had was downloading friends. Anyway, I think I'm back on track, AVG, Ad-aware and Stopzilla give me a clean bill of health. Spybot says I have Win32.tiny.abk-it deletes it, then after reboot it is back. I've tried rootkit removers, Panda, Blacklight and AVG. My HJT log has one file that I can't place, everything else seems in order. The internet, in all its wisdom, has been no help at removing this. Here's my HJT log, the O23 - Service: Indexing Service CiSvcSENS I don't know what it does or how to stop it. Anyway, any help is appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:11 PM, on 2008-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Generic\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Generic ChkMail.lnk = C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\Software\..\Telephony: DomainName = Freshwater.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = Freshwater.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Indexing Service CiSvcSENS (CiSvcSENS) - Unknown owner - C:\WINDOWS\system32\ahuih.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spool.exe (file missing)
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6520 bytes
____
Next day. I've not done anything different, just run spybot a couple more times, anyway, the tiny.abk hasn't shown back up after 2 reboots and scans. But I don't want to assume I'm clean yet.

Edited by goofed up, 16 February 2008 - 01:02 PM.


BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:06 AM

Posted 29 February 2008 - 12:45 AM

Hello goofed up and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.

When posting your log, please make sure you post the HijackThis log as a reply and not as an attachment. If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 goofed up

goofed up
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 29 February 2008 - 11:30 AM

Basically it's the same as above. I know I downloaded a couple viruses, know where I got them, knew it when I did it. At it's worst, the computer wouldn't boot up, or it would get to the background and just lock up. I had all sorts of errors, Adaware was blue screening the computer, I couldn't get the firewall to start properly, HJT wouldn't start also. I think I've fought it back, the system seems pretty stable, but I'm not comfortable saying it's all over. O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll, O23 - Service: Indexing Service CiSvcSENS (CiSvcSENS) - Unknown owner - C:\WINDOWS\system32\ahuih.exe (file missing) and some of the Java stuff seems weird, but I have no idea what I'm doing. LSPfix leaves is3lsp.dll alone. And I can't figure out the CiSvcSENS.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:33 AM, on 2008-02-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Generic\Power4 Gear\BatteryLife.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Generic ChkMail.lnk = C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\Software\..\Telephony: DomainName = Freshwater.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = Freshwater.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Indexing Service CiSvcSENS (CiSvcSENS) - Unknown owner - C:\WINDOWS\system32\ahuih.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6866 bytes

Edited by goofed up, 29 February 2008 - 12:07 PM.


#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:06 AM

Posted 01 March 2008 - 03:05 AM

Hi goofed up,

Basically it's the same as above. I know I downloaded a couple viruses, know where I got them, knew it when I did it.

Why in heaven would you download something with a virus on purpose? Asking now for help after doing such on purpose is a weird way of going about things.
You should read this: http://www.malwarebytes.org/forums/index.php?showtopic=1416 and this http://forums.spybot.info/showthread.php?t=8178


Step #1

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click "Continue".
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
Step #2

Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close ALL applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
The logs can be quite lengthy..use two post if you need to get them all in.

Step #3

Please post back with main.txt and the extra.txt. Thanks.

Edited by Yourhighness, 01 March 2008 - 03:07 AM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 goofed up

goofed up
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 01 March 2008 - 04:28 PM

Thanks for helping. Just for the record, I didn't download it on purpose... I'm not a complete idiot. I just meant that I realized it when it happened, but it was too late. Sort of like the second before you hit your finger with a hammer. I got rid of StopZilla (DSS wouldn't start until I got rid of it.) Here are the logs. Thanks again for helping.

Deckard's System Scanner v20071014.68
Run by bback on 2008-03-01 15:13:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
15: 2008-03-01 21:13:42 UTC - RP112 - Deckard's System Scanner Restore Point
14: 2008-03-01 21:09:01 UTC - RP111 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
13: 2008-03-01 20:51:32 UTC - RP110 - Installed Java™ 6 Update 4
12: 2008-03-01 20:49:21 UTC - RP109 - Installed Java™ SE Development Kit 6 Update 4
11: 2008-03-01 20:43:36 UTC - RP108 - Removed Java™ 6 Update 3


-- First Restore Point --
1: 2008-02-16 18:31:42 UTC - RP98 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as bback.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:41 PM, on 2008-03-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Generic\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\bback\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\bback.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Generic ChkMail.lnk = C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\Software\..\Telephony: DomainName = Freshwater.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = Freshwater.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Indexing Service CiSvcSENS (CiSvcSENS) - Unknown owner - C:\WINDOWS\system32\ahuih.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5850 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080213-141416-517 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
backup-20080213-141416-738 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
backup-20080213-141416-820 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080213-141417-173 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20080213-141417-267 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080213-141417-299 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080213-141417-683 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080213-141417-840 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080213-143400-549 O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
backup-20080213-143400-769 O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1202684740.dll (file missing)
backup-20080213-143400-852 O2 - BHO: Gamburg provider - {6607E676-1BDE-4cb3-9913-4DC5EBCAE35E} - unifff.dll (file missing)
backup-20080213-143400-944 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20080214-213925-215 O20 - AppInit_DLLs: cru629.dat
backup-20080214-213925-313 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.125 85.255.112.159
backup-20080214-213925-820 O17 - HKLM\System\CS2\Services\Tcpip\..\{04130A54-0848-4022-8523-0704F26201CC}: NameServer = 85.255.113.125,85.255.112.159
backup-20080214-213925-852 O20 - Winlogon Notify: ibuntu - C:\WINDOWS\
backup-20080214-213926-107 O23 - Service: Indexing Service CiSvcSENS (CiSvcSENS) - Unknown owner - C:\WINDOWS\system32\ahuih.exe (file missing)
backup-20080214-213926-627 O21 - SSODL: DriveAvp - {e0c79a57-8c87-48e7-bbf3-d672b7e94f9e} - C:\WINDOWS\Installer\{e0c79a57-8c87-48e7-bbf3-d672b7e94f9e}\DriveAvp.dll (file missing)
backup-20080214-213926-776 O23 - Service: FFI - Unknown owner - C:\WINDOWS\system32\svchost.exe:exm.exe (file missing)
backup-20080214-220522-104 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
backup-20080214-220746-960 O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
backup-20080215-094836-187 O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
backup-20080215-094836-532 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe (User 'SYSTEM')
backup-20080215-094836-991 O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
backup-20080215-175700-428 O23 - Service: Indexing Service CiSvcSENS (CiSvcSENS) - Unknown owner - C:\WINDOWS\system32\ahuih.exe (file missing)
backup-20080215-184942-179 O23 - Service: Indexing Service CiSvcSENS (CiSvcSENS) - Unknown owner - C:\WINDOWS\system32\ahuih.exe (file missing)
backup-20080215-185028-958 O23 - Service: Indexing Service CiSvcSENS (CiSvcSENS) - Unknown owner - C:\WINDOWS\system32\ahuih.exe (file missing)
backup-20080222-161022-122 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S1 4fdw - c:\windows\system32\4fdw.dll (file missing)
S1 krnllds (Kernel CryptoModule) - c:\windows\system32\krnllds.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 OwnershipProtocol - c:\program files\intel\wireless\bin\oprotsvc.exe <Not Verified; Intel Corporation; Intel PROSet/Wireless>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>

S2 CiSvcSENS (Indexing Service CiSvcSENS) - c:\windows\system32\ahuih.exe srv (file missing)
S4 FFI - c:\windows\system32\svchost.exe:exm.exe (file missing)
S4 Imapi Helper - "c:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-02-01 and 2008-03-01 -----------------------------

2008-03-01 15:09:21 0 d-------- C:\Documents and Settings\Default User\Application Data\Talkback
2008-03-01 15:09:02 0 d-------- C:\Documents and Settings\Default User\Application Data\Mozilla
2008-03-01 14:52:20 0 d-------- C:\Program Files\Sun
2008-03-01 14:49:33 0 d-------- C:\Program Files\Java
2008-02-23 13:52:40 0 d-------- C:\Program Files\Common Files\Java
2008-02-22 20:33:43 0 d-------- C:\Documents and Settings\bback\Application Data\Move Networks
2008-02-22 09:43:26 0 d-------- C:\VundoFix Backups
2008-02-15 22:02:03 8576 --a------ C:\WINDOWS\system32\drivers\lujabmgmrwwp.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-15 14:09:46 2410528 --a------ C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-15 10:44:30 0 d-------- C:\Program Files\Lavasoft
2008-02-15 10:43:51 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 19:45:24 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-14 19:45:19 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-14 19:44:53 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-14 19:44:14 0 d-------- C:\WINDOWS\Internet Logs
2008-02-14 15:17:33 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-14 15:14:32 0 d-------- C:\Program Files\Common Files\iS3
2008-02-14 15:14:32 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-14 14:05:52 0 d-------- C:\Documents and Settings\bback\.housecall6.6
2008-02-14 13:31:55 12998 --a------ C:\WINDOWS\obasubuf.sys
2008-02-14 13:31:55 19992 --a------ C:\WINDOWS\jenotybu.bat
2008-02-14 13:31:54 12664 --a------ C:\WINDOWS\sedycofip.scr
2008-02-14 13:31:54 13289 --a------ C:\WINDOWS\manyrobuh.scr
2008-02-14 13:31:54 14206 --a------ C:\WINDOWS\feletykary.dat
2008-02-14 13:31:54 18201 --a------ C:\Documents and Settings\bback\Application Data\exozovahu.exe
2008-02-14 13:31:54 16292 --a------ C:\Documents and Settings\All Users\Application Data\ugulykav.sys
2008-02-14 13:31:54 11951 --a------ C:\Documents and Settings\All Users\Application Data\qewypizoj.dat
2008-02-14 13:31:54 15242 --a------ C:\Documents and Settings\All Users\Application Data\isediciv.exe
2008-02-14 13:31:54 18738 --a------ C:\Documents and Settings\All Users\Application Data\gupiw.dat
2008-02-14 13:31:54 13065 --a------ C:\Documents and Settings\All Users\Application Data\getaqi.com
2008-02-14 13:31:54 14521 --a------ C:\Documents and Settings\All Users\Application Data\aqityfi.reg
2008-02-14 13:31:53 10654 --a------ C:\WINDOWS\onewacaz.reg
2008-02-14 13:31:53 19358 --a------ C:\WINDOWS\ifukovuky.exe
2008-02-14 13:31:53 11748 --a------ C:\Program Files\Common Files\qikal.bat
2008-02-14 13:31:53 16183 --a------ C:\Documents and Settings\bback\Application Data\operox.bin
2008-02-14 13:31:53 13954 --a------ C:\Documents and Settings\bback\Application Data\ihuv.com
2008-02-14 13:31:52 19211 --a------ C:\WINDOWS\xisyfej.dll
2008-02-14 13:31:52 13418 --a------ C:\WINDOWS\system32\uqoriwopig.scr
2008-02-14 13:31:52 17255 --a------ C:\WINDOWS\system32\ereture.dat
2008-02-14 13:31:52 16117 --a------ C:\WINDOWS\pylo.scr
2008-02-14 13:31:52 14558 --a------ C:\Program Files\Common Files\ofebu.exe
2008-02-14 13:31:52 18479 --a------ C:\Program Files\Common Files\etodemukap.pif
2008-02-14 10:20:52 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-02-14 10:20:50 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-02-13 16:19:31 0 d-------- C:\Documents and Settings\bback\Application Data\Help
2008-02-13 16:04:43 0 d-------- C:\Documents and Settings\bback\Application Data\SystemRequirementsLab
2008-02-13 15:47:04 0 d-------- C:\WINDOWS\system32\appmgmt
2008-02-12 18:04:09 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-02-10 23:05:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 21:42:19 0 d-------- C:\Documents and Settings\bback\Application Data\Grisoft
2008-02-10 21:42:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 20:06:16 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-10 20:06:16 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-10 20:06:16 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-10 20:06:16 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-10 18:28:32 0 d-------- C:\Program Files\Trend Micro
2008-02-10 18:26:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-10 17:30:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 17:00:46 274 --a-s---- C:\WINDOWS\system32\426552044.dat
2008-02-09 15:43:21 0 d-------- C:\Program Files\Activision
2008-02-06 14:34:37 0 d-------- C:\Program Files\MSECache


-- Find3M Report ---------------------------------------------------------------

2008-03-01 14:28:47 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-02-28 16:01:08 0 d-------- C:\Program Files\TruthQuest Database 4.0 Folder
2008-02-25 16:49:59 0 d-------- C:\Program Files\Steam
2008-02-23 13:54:26 2272 --a------ C:\WINDOWS\mozver.dat
2008-02-23 13:52:40 0 d-------- C:\Program Files\Common Files
2008-02-14 13:31:56 18778 --a------ C:\Program Files\Common Files\eqaq.lib
2008-02-14 13:31:55 10729 --a------ C:\Program Files\Common Files\jozycokik._sy
2008-02-14 13:31:53 12096 --a------ C:\Program Files\Common Files\lyhyhyk.dl
2008-02-13 16:04:49 0 d-------- C:\Program Files\SystemRequirementsLab
2008-02-09 16:32:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-01 09:11:20 0 d-------- C:\Documents and Settings\bback\Application Data\Adobe
2008-01-31 15:46:01 0 d-------- C:\Documents and Settings\bback\Application Data\gtk-2.0
2008-01-27 08:10:19 0 d-------- C:\Documents and Settings\bback\Application Data\FileMaker
2008-01-27 08:10:02 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-27 08:09:31 0 --a------ C:\CONFIG.SYS
2008-01-27 08:09:31 0 --a------ C:\AUTOEXEC.BAT
2008-01-22 09:35:19 0 d-------- C:\Program Files\Winamp
2008-01-15 15:18:03 0 d-------- C:\Documents and Settings\bback\Application Data\InstallShield
2008-01-12 10:31:40 0 d-------- C:\Documents and Settings\bback\Application Data\Skype
2008-01-11 19:05:14 0 d-------- C:\Documents and Settings\bback\Application Data\skypePM
2008-01-11 19:03:45 0 d-------- C:\Program Files\Skype
2008-01-11 19:03:42 0 d-------- C:\Program Files\Common Files\Skype
2008-01-10 21:35:35 0 d-------- C:\Program Files\GIMP-2.0
2008-01-10 11:58:48 0 d-------- C:\Documents and Settings\bback\Application Data\Winamp
2008-01-06 23:56:19 0 d-------- C:\Documents and Settings\bback\Application Data\Bioshock
2007-12-08 14:55:14 1199 --a------ C:\WINDOWS\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-12-16 02:19 AM]
"nwiz"="nwiz.exe" [2005-11-24 02:28 AM C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 04:45 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 12:23 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 12:23 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 10:27 AM]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 10:31 AM]
"Power_Gear"="C:\Program Files\Generic\Power4 Gear\BatteryLife.exe" [2004-09-21 03:55 PM]
"RemoteControl"="C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe" [2003-10-31 06:42 PM]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 09:24 AM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 02:32 PM C:\WINDOWS\ALCWZRD.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 08:16 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 05:52 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 04:05 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Generic ChkMail.lnk - C:\Program Files\Generic\Generic ChkMail\ChkMail.exe [2007-11-19 6:50:28 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 10:27 AM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-03-01 15:16:02 ------------

EXTRA.TXT
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.86GHz
Percentage of Memory in Use: 22%
Physical Memory (total/avail): 2047.3 MiB / 1579.66 MiB
Pagefile Memory (total/avail): 3939.26 MiB / 3633.91 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.79 MiB

C: is Fixed (NTFS) - 93.15 GiB total, 50.77 GiB free.
D: is CDROM (No Media)
S: is Network (Unformatted)
X: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - ST9100823A - 93.16 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 93.15 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\bback\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BRIAN-LT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\bback
LOGONSERVER=\\FRESHWATER1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\bback\LOCALS~1\Temp
TMP=C:\DOCUME~1\bback\LOCALS~1\Temp
tvdumpflags=8
USERDNSDOMAIN=FRESHWATER.LOCAL
USERDOMAIN=FRESHWATER
USERNAME=bback
USERPROFILE=C:\Documents and Settings\bback
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

bback (admin)
administrator (new local, admin, net ready)
user (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /X{EE43210C-266E-4101-8FBC-04378D5E9D42}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9B5AAC6D-AF21-4034-AF1D-A28274180BA6}\SETUP.EXE" -l0x9 anything
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ASUSDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
ATK0100 ACPI UTILITY --> C:\WINDOWS\ATK0100\XPunin.exe
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Battlefield 1942 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x9
Battlefield 1942: Secret Weapons of WWII --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B73B4A99-4173-4747-BBEC-0F05E966F9D2}\setup.exe" -l0x9
Battlefield 1942: The Road To Rome --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D057AA08-8CBF-42E3-9EAB-23B8FED1C279}\setup.exe" -l0x9
Call of Duty® 4 - Modern Warfare™ --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.4 Patch --> C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch --> C:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
Counter-Strike --> "C:\Program Files\Steam\steam.exe" steam://uninstall/10
CrossVue --> C:\WINDOWS\odeunst.exe -n "C:\Program Files\CrossVue\ODEUNST.LOG"
Day of Defeat --> "C:\Program Files\Steam\steam.exe" steam://uninstall/30
Enemy Territory - QUAKE Wars™ --> C:\Program Files\InstallShield Installation Information\{B7A585C8-CE4E-4150-84C6-A13C3CB1379F}\setup.exe -runfromtemp -l0x0409
Enemy Territory - QUAKE Wars™ 1.2 Patch --> C:\Program Files\InstallShield Installation Information\{2EC66D1C-4AF5-4811-BEDE-849D90461AF5}\setup.exe -runfromtemp -l0x0409
Eraser --> "C:\Documents and Settings\All Users\Application Data\{74D61F17-FFC2-41AF-96E5-1DCB0631B6D1}\EraserSetup32.exe" REMOVE=TRUE MODIFY=FALSE
Eraser --> C:\Documents and Settings\All Users\Application Data\{74D61F17-FFC2-41AF-96E5-1DCB0631B6D1}\EraserSetup32.exe
Generic ChkMail --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Generic\Generic ChkMail\Uninst.isu"
GIMP 2.4.2 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220
Half-Life 2: Lost Coast --> "C:\Program Files\Steam\steam.exe" steam://uninstall/340
Half-Life: Blue Shift --> "C:\Program Files\Steam\steam.exe" steam://uninstall/130
HDAUDIO SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10431966\HXFSETUP.EXE -U -IHDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_10431966
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\bback\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp cp1160 --> rundll32 hpzcon04.dll,VendorJettison hp cp1160
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
ISO Recorder --> MsiExec.exe /I{DFC6573E-124D-4026-BFA4-B433C9D3FF21}
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ SE Development Kit 6 Update 4 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160040}
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver --> MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
Medi@Show --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\CyberLink\MediaShow\Uninst.isu"
mEoU.msi --> MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Access 2002 Runtime --> MsiExec.exe /I{901C0409-6000-11D3-8CFE-0050048383C9}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUSR /dll OSETUP.DLL
Microsoft Office Professional Plus 2007 --> MsiExec.exe /X{91120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs --> MsiExec.exe /X{90120000-00B2-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.12) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.12) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Opposing Force --> "C:\Program Files\Steam\steam.exe" steam://uninstall/50
Power4 Gear --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{02D7C83F-FCCB-4EEC-9E4B-C6FF8AADC015}\SETUP.EXE" -l0x9
PowerDirector --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\Setup.exe" -uninstall
PunkBuster for Battlefield 1942 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{127B684B-A002-44C8-99A7-6CF8F1E26873}\setup.exe" -l0x9
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Realtek High Definition Audio Driver --> RtlUpd.exe -r
Security Update for Excel 2007 (KB936509) --> msiexec /package {91120000-0011-0000-0000-0000000FF1CE} /uninstall {A00724F5-82C4-4924-B707-0E5A84B52471}
Security Update for Office 2007 (KB934062) --> msiexec /package {91120000-0011-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB936514) --> msiexec /package {91120000-0011-0000-0000-0000000FF1CE} /uninstall {C7A78F7F-EF32-4477-BAD7-3439EA7571BF}
Security Update for Publisher 2007 (KB936646) --> msiexec /package {91120000-0011-0000-0000-0000000FF1CE} /uninstall {A32E4BAF-6477-45FA-B8AB-E743FA8D63FF}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {91120000-0011-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Team Fortress 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/440
Team Fortress Classic --> "C:\Program Files\Steam\steam.exe" steam://uninstall/20
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims Deluxe Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{10798AE3-DCBB-43C3-9C93-C23512427E25}\setup.exe" -l0009
TOSHIBA e-STUDIO3510c Series Client --> C:\Program Files\InstallShield Installation Information\{F3DD5D1F-2EE7-418C-B6D9-D59AB1FB2E0F}\SETUP.EXE -runfromtemp -l0x0009
TruthQuest Database --> C:\Program Files\TruthQuest Database 4.0 Folder\setup.exe TruthQuest Database
Update for Office 2007 (KB932080) --> msiexec /package {91120000-0011-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {91120000-0011-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB934393) --> msiexec /package {91120000-0011-0000-0000-0000000FF1CE} /uninstall {92FBAD46-E7F6-49FA-89B5-C39FC5BFAD15}
Update for Outlook 2007 (KB937608) --> msiexec /package {91120000-0011-0000-0000-0000000FF1CE} /uninstall {CBB2454D-193F-4523-8A31-FEB343B7C30E}
Update for Outlook 2007 Junk Email Filter (kb944965) --> msiexec /package {91120000-0011-0000-0000-0000000FF1CE} /uninstall {EA8C80AA-31D6-43F0-8CD8-CA85479A34F1}
Update for Word 2007 (KB934173) --> msiexec /package {91120000-0011-0000-0000-0000000FF1CE} /uninstall {C6A89125-5473-45E3-B413-ED8186437475}
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinFlash --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B39AA98E-C966-46C9-ACA2-D2586E300988}\SETUP.EXE" -l0x9
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2811 / Error
Event Submitted/Written: 03/01/2008 02:47:43 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type2808 / Error
Event Submitted/Written: 03/01/2008 02:46:59 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type2804 / Error
Event Submitted/Written: 03/01/2008 02:46:43 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type2800 / Error
Event Submitted/Written: 03/01/2008 02:43:28 PM
Event ID/Source: 11704 / MsiInstaller
Event Description:
Product: Java™ 6 Update 3 -- Error 1704.An installation for Java™ SE Development Kit 6 Update 4 is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?

Event Record #/Type2799 / Error
Event Submitted/Written: 03/01/2008 02:33:01 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type21945 / Error
Event Submitted/Written: 03/01/2008 03:08:32 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the service.

Event Record #/Type21944 / Error
Event Submitted/Written: 03/01/2008 03:08:02 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.

Event Record #/Type21941 / Warning
Event Submitted/Written: 03/01/2008 03:03:33 PM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {04130A54-0848-4022-8523-0704F26201CC}

Host Name : Brian-LT

Primary Domain Suffix : Freshwater.local

DNS server list :

192.168.2.1

Sent update to server : <?>

IP Address(es) :

192.168.2.11


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (:thumbsup: because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type21940 / Error
Event Submitted/Written: 03/01/2008 03:03:04 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type21918 / Error
Event Submitted/Written: 03/01/2008 02:47:57 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Beep
Gdsp62
IntelIde



-- End of Deckard's System Scanner: finished at 2008-03-01 15:16:02 ------------

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:06 AM

Posted 02 March 2008 - 12:58 PM

Hi goofed up,

Just for the record, I didn't download it on purpose... I'm not a complete idiot.

I was not implying that. The way you worded it made it sound as if you downloaded infected software on purpose (such as cracks) and then wanted to get rid of it. Dont worry about it. Lets get on with the removal process.

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Step #1

You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world. You need to install an antivirus program as soon as you can and run a complete scan of the computer. For further information, navigate here: http://www.us-cert.gov/cas/tips/ST04-005.html.

Please refer to the below for a list of free and suggestable Antivirus programmes:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Step #2

Please download ComboFix from here and save it to your Desktop.

When done downloading, please print out and follow these instructions: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • When you have completed the ComboFix instructions, copy and paste the contents of C:\ComboFix.txt in your next reply.
  • When done, be sure to re-enable your anti-virus and other security programs.

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Step #3

Please post a fresh HijackThis log and the ComboFix log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 goofed up

goofed up
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 02 March 2008 - 04:44 PM

AVG is downloaded & here are the logs.

ComboFix 08-03-03.4 - bback 2008-03-02 15:32:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1456 [GMT -6:00]Running from: C:\Documents and Settings\bback\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 14:21 . 2008-03-02 14:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-02 14:21 . 2008-03-02 14:25 <DIR> d-------- C:\Documents and Settings\bback\Application Data\AVG7
2008-03-02 14:21 . 2008-03-02 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7
2008-03-02 14:21 . 2008-03-02 14:21 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-02 14:21 . 2008-03-02 14:21 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-01 15:13 . 2008-03-01 15:13 <DIR> d-------- C:\Deckard
2008-03-01 15:00 . 2008-03-01 15:04 3,072 --a------ C:\WINDOWS\system32\drivers\kgpfr.cfg
2008-03-01 14:52 . 2008-03-01 14:52 <DIR> d-------- C:\Program Files\Sun
2008-03-01 14:52 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-01 14:49 . 2008-03-01 14:52 <DIR> d-------- C:\Program Files\Java
2008-02-29 09:24 . 2008-03-01 15:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 09:24 . 2008-02-29 09:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-23 13:52 . 2008-02-23 13:52 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-22 20:33 . 2008-02-22 20:33 <DIR> d-------- C:\Documents and Settings\bback\Application Data\Move Networks
2008-02-22 09:43 . 2008-02-22 09:43 <DIR> d-------- C:\VundoFix Backups
2008-02-19 16:21 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-19 16:21 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-15 22:04 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-02-15 22:02 . 2008-02-15 22:01 8,576 --a------ C:\WINDOWS\system32\drivers\lujabmgmrwwp.sys
2008-02-15 14:09 . 2008-03-03 15:36 4,771,872 --a------ C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-15 14:09 . 2008-03-01 16:50 29,732 --a------ C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-15 12:57 . 2008-02-15 12:57 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-15 10:44 . 2008-02-15 10:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-15 10:43 . 2008-02-15 10:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 20:00 . 2008-02-14 20:00 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-14 20:00 . 2008-02-14 20:00 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-14 19:45 . 2008-02-14 19:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2008-02-14 19:45 . 2008-02-15 13:37 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-14 19:44 . 2008-02-15 12:57 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-14 19:44 . 2008-03-02 15:28 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-14 15:17 . 2008-03-01 12:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SITEguard
2008-02-14 15:14 . 2008-02-14 15:14 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-14 15:14 . 2008-03-01 15:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2008-02-14 14:06 . 2008-02-14 14:06 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-14 14:05 . 2008-02-14 14:10 <DIR> d-------- C:\Documents and Settings\bback\.housecall6.6
2008-02-14 13:31 . 2008-02-14 13:31 18,738 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\gupiw.dat
2008-02-14 13:31 . 2008-02-14 13:31 18,479 --a------ C:\Program Files\Common Files\etodemukap.pif
2008-02-14 13:31 . 2008-02-14 13:31 18,201 --a------ C:\Documents and Settings\bback\Application Data\exozovahu.exe
2008-02-14 13:31 . 2008-02-14 13:31 16,292 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\ugulykav.sys
2008-02-14 13:31 . 2008-02-14 13:31 16,183 --a------ C:\Documents and Settings\bback\Application Data\operox.bin
2008-02-14 13:31 . 2008-02-14 13:31 15,242 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\isediciv.exe
2008-02-14 13:31 . 2008-02-14 13:31 14,558 --a------ C:\Program Files\Common Files\ofebu.exe
2008-02-14 13:31 . 2008-02-14 13:31 14,521 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\aqityfi.reg
2008-02-14 13:31 . 2008-02-14 13:31 13,954 --a------ C:\Documents and Settings\bback\Application Data\ihuv.com
2008-02-14 13:31 . 2008-02-14 13:31 13,065 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\getaqi.com
2008-02-14 13:31 . 2008-02-14 13:31 11,951 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\qewypizoj.dat
2008-02-14 13:31 . 2008-02-14 13:31 11,748 --a------ C:\Program Files\Common Files\qikal.bat
2008-02-13 16:04 . 2008-02-13 16:04 <DIR> d-------- C:\Documents and Settings\bback\Application Data\SystemRequirementsLab
2008-02-11 00:56 . 2008-02-11 00:56 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-10 23:05 . 2008-02-15 12:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 23:05 . 2008-02-15 14:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-10 21:42 . 2008-02-10 21:42 <DIR> d-------- C:\Documents and Settings\bback\Application Data\Grisoft
2008-02-10 21:42 . 2008-03-02 14:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-02-10 21:42 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-10 18:28 . 2008-02-10 18:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 18:26 . 2008-02-10 18:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avira
2008-02-10 17:30 . 2008-02-10 17:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-02-10 17:00 . 2008-02-14 10:20 274 --a-s---- C:\WINDOWS\system32\426552044.dat
2008-02-09 15:43 . 2008-02-09 15:43 <DIR> d-------- C:\Program Files\Activision
2008-02-06 14:34 . 2008-02-06 14:34 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 15:08 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-01 20:30 1,505,280 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-28 23:20 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-28 23:20 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-28 22:01 --------- d-----w C:\Program Files\TruthQuest Database 4.0 Folder
2008-02-25 22:49 --------- d-----w C:\Program Files\Steam
2008-02-24 18:41 1,477,120 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-21 05:10 1,436,672 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-14 19:31 19,992 ----a-w C:\WINDOWS\jenotybu.bat
2008-02-14 19:31 19,358 ----a-w C:\WINDOWS\ifukovuky.exe
2008-02-14 19:31 19,211 ----a-w C:\WINDOWS\xisyfej.dll
2008-02-14 19:31 18,778 ----a-w C:\Program Files\Common Files\eqaq.lib
2008-02-14 19:31 16,117 ----a-w C:\WINDOWS\pylo.scr
2008-02-14 19:31 13,418 ----a-w C:\WINDOWS\system32\uqoriwopig.scr
2008-02-14 19:31 13,289 ----a-w C:\WINDOWS\manyrobuh.scr
2008-02-14 19:31 12,998 ----a-w C:\WINDOWS\obasubuf.sys
2008-02-14 19:31 12,664 ----a-w C:\WINDOWS\sedycofip.scr
2008-02-14 19:31 12,096 ----a-w C:\Program Files\Common Files\lyhyhyk.dl
2008-02-14 19:31 10,729 ----a-w C:\Program Files\Common Files\jozycokik._sy
2008-02-14 19:31 10,654 ----a-w C:\WINDOWS\onewacaz.reg
2008-02-14 16:21 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-02-14 06:05 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2008-02-13 22:04 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-02-09 22:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 22:10 22,328 ----a-w C:\Documents and Settings\bback\Application Data\PnkBstrK.sys
2008-01-31 21:46 --------- d-----w C:\Documents and Settings\bback\Application Data\gtk-2.0
2008-01-27 14:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-27 14:10 --------- d-----w C:\Documents and Settings\bback\Application Data\FileMaker
2008-01-22 15:35 --------- d-----w C:\Program Files\Winamp
2008-01-15 21:18 --------- d-----w C:\Documents and Settings\bback\Application Data\InstallShield
2008-01-12 16:31 --------- d-----w C:\Documents and Settings\bback\Application Data\Skype
2008-01-12 01:05 32 ----a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\ezsid.dat
2008-01-12 01:05 --------- d-----w C:\Documents and Settings\bback\Application Data\skypePM
2008-01-12 01:03 --------- d-----w C:\Program Files\Skype
2008-01-12 01:03 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-12 01:03 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2008-01-11 03:35 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-10 17:58 --------- d-----w C:\Documents and Settings\bback\Application Data\Winamp
2008-01-07 05:56 --------- d-----w C:\Documents and Settings\bback\Application Data\Bioshock
2008-01-07 04:58 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.

------- Sigcheck -------

ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys
----a-w 360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 359,040 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
-c----w 359,808 2006-04-20 11:51:50 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
-c--a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-12-16 02:19 98304]
"nwiz"="nwiz.exe" [2005-11-24 02:28 1519616 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 16:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 00:23 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 00:23 688218]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 10:27 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 10:31 356352]
"Power_Gear"="C:\Program Files\Generic\Power4 Gear\BatteryLife.exe" [2004-09-21 15:55 81920]
"RemoteControl"="C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 09:24 86016 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 14:32 2807808 C:\WINDOWS\ALCWZRD.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 17:52 849280]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-24 02:28 7335936]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-02 14:23 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-02 14:21 219136]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Generic ChkMail.lnk - C:\Program Files\Generic\Generic ChkMail\ChkMail.exe [2007-11-19 18:50:28 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 10:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2004-05-17 15:11]
S1 4fdw;4fdw;C:\WINDOWS\system32\4fdw.dll []
S1 krnllds;Kernel CryptoModule;C:\WINDOWS\system32\krnllds.sys []
S2 CiSvcSENS;Indexing Service CiSvcSENS;C:\WINDOWS\system32\ahuih.exe []
S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe []

*Newly Created Service* - AVG7ALRT
*Newly Created Service* - AVG7CORE
*Newly Created Service* - AVG7RSW
*Newly Created Service* - AVG7RSXP
*Newly Created Service* - AVG7UPDSVC
*Newly Created Service* - AVGCLEAN
*Newly Created Service* - AVGEMS
*Newly Created Service* - AVGTDI
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 15:36:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\FFI]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe"
.
Completion time: 2008-03-03 15:37:38
ComboFix-quarantined-files.txt 2008-03-03 21:37:32
ComboFix2.txt 2008-02-21 17:59:59
.
2008-02-14 06:06:17 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:43, on 2008-03-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Generic\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Generic ChkMail.lnk = C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\Software\..\Telephony: DomainName = Freshwater.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = Freshwater.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Service CiSvcSENS (CiSvcSENS) - Unknown owner - C:\WINDOWS\system32\ahuih.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7212 bytes

#8 goofed up

goofed up
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 04 March 2008 - 05:38 PM

Thanks for helping, is there anything else I need to do?

#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:06 AM

Posted 05 March 2008 - 02:22 PM

Hey goofed up,

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    Suspect::[42]
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\gupiw.dat
    C:\Program Files\Common Files\etodemukap.pif
    C:\Documents and Settings\bback\Application Data\exozovahu.exe
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\ugulykav.sys
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\isediciv.exe
    C:\Program Files\Common Files\ofebu.exe
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\aqityfi.reg
    C:\Documents and Settings\bback\Application Data\ihuv.com
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\getaqi.com
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\qewypizoj.dat
    C:\Program Files\Common Files\qikal.bat
    C:\WINDOWS\system32\426552044.dat
    C:\WINDOWS\jenotybu.bat
    C:\WINDOWS\ifukovuky.exe
    C:\WINDOWS\xisyfej.dll
    C:\WINDOWS\jenotybu.bat
    C:\WINDOWS\ifukovuky.exe
    C:\WINDOWS\xisyfej.dll
    C:\Program Files\Common Files\eqaq.lib
    C:\WINDOWS\pylo.scr
    C:\WINDOWS\system32\uqoriwopig.scr
    C:\WINDOWS\manyrobuh.scr
    C:\WINDOWS\obasubuf.sys
    C:\WINDOWS\sedycofip.scr
    C:\Program Files\Common Files\lyhyhyk.dl
    C:\Program Files\Common Files\jozycokik._sy
    C:\WINDOWS\onewacaz.reg
    
    Folder::
    c:\Deckard\System Scanner
    C:\VundoFix Backups
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
    
    Driver::
    4fdw
    krnllds
    CiSvcSENS
    FFI
    
    Registry::
    [-HKEY_LOCAL_MACHINE\system\ControlSet003\Services\FFI]
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.
    Please include a link to this topic in the message.
Note:
Do not mouse click combofix's window whilst it's running. That may cause it to stall


Step #2

Please post back with the ComboFix log and a fresh HijackThis log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 goofed up

goofed up
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 05 March 2008 - 03:03 PM

I submitted the file, Here are the logs. Thanks again for helping, I was ready to reload the machine.

ComboFix 08-03-03.4 - bback 2008-03-05 13:46:00.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1528 [GMT -6:00]
Running from: C:\Documents and Settings\bback\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\bback\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!\sgdefs.db
C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!\userdata.db
C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!\zilla5.log
C:\VundoFix Backups

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CISVCSENS
-------\LEGACY_FFI
-------\LEGACY_KRNLLDS
-------\4fdw
-------\CiSvcSENS
-------\FFI
-------\krnllds


((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-03 12:14 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-03-03 12:14 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-03-03 11:48 . 2008-03-03 11:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-03 11:48 . 2008-03-03 11:48 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-02 14:21 . 2008-03-02 14:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-02 14:21 . 2008-03-03 15:42 <DIR> d-------- C:\Documents and Settings\bback\Application Data\AVG7
2008-03-02 14:21 . 2008-03-02 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7
2008-03-02 14:21 . 2008-03-02 14:21 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-02 14:21 . 2008-03-02 14:21 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-01 15:13 . 2008-03-05 13:48 <DIR> d-------- C:\Deckard
2008-03-01 15:00 . 2008-03-01 15:04 3,072 --a------ C:\WINDOWS\system32\drivers\kgpfr.cfg
2008-03-01 14:52 . 2008-03-01 14:52 <DIR> d-------- C:\Program Files\Sun
2008-03-01 14:52 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-01 14:49 . 2008-03-01 14:52 <DIR> d-------- C:\Program Files\Java
2008-02-23 13:52 . 2008-02-23 13:52 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-22 20:33 . 2008-03-03 17:43 <DIR> d-------- C:\Documents and Settings\bback\Application Data\Move Networks
2008-02-19 16:21 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-19 16:21 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-15 22:04 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-02-15 22:02 . 2008-02-15 22:01 8,576 --a------ C:\WINDOWS\system32\drivers\lujabmgmrwwp.sys
2008-02-15 14:09 . 2008-03-05 13:54 11,481,120 --a------ C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-15 14:09 . 2008-03-05 13:51 135,596 --a------ C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-15 12:57 . 2008-02-15 12:57 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-15 10:44 . 2008-02-15 10:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-15 10:43 . 2008-02-15 10:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 20:00 . 2008-02-14 20:00 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-14 20:00 . 2008-02-14 20:00 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-14 19:45 . 2008-02-14 19:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2008-02-14 19:45 . 2008-02-15 13:37 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-14 19:44 . 2008-02-15 12:57 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-14 19:44 . 2008-03-05 13:42 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-14 15:17 . 2008-03-01 12:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SITEguard
2008-02-14 15:14 . 2008-02-14 15:14 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-14 14:06 . 2008-02-14 14:06 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-14 14:05 . 2008-02-14 14:10 <DIR> d-------- C:\Documents and Settings\bback\.housecall6.6
2008-02-14 13:31 . 2008-02-14 13:31 18,738 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\gupiw.dat
2008-02-14 13:31 . 2008-02-14 13:31 18,479 --a------ C:\Program Files\Common Files\etodemukap.pif
2008-02-14 13:31 . 2008-02-14 13:31 18,201 --a------ C:\Documents and Settings\bback\Application Data\exozovahu.exe
2008-02-14 13:31 . 2008-02-14 13:31 16,292 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\ugulykav.sys
2008-02-14 13:31 . 2008-02-14 13:31 16,183 --a------ C:\Documents and Settings\bback\Application Data\operox.bin
2008-02-14 13:31 . 2008-02-14 13:31 15,242 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\isediciv.exe
2008-02-14 13:31 . 2008-02-14 13:31 14,558 --a------ C:\Program Files\Common Files\ofebu.exe
2008-02-14 13:31 . 2008-02-14 13:31 14,521 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\aqityfi.reg
2008-02-14 13:31 . 2008-02-14 13:31 13,954 --a------ C:\Documents and Settings\bback\Application Data\ihuv.com
2008-02-14 13:31 . 2008-02-14 13:31 13,065 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\getaqi.com
2008-02-14 13:31 . 2008-02-14 13:31 11,951 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\qewypizoj.dat
2008-02-14 13:31 . 2008-02-14 13:31 11,748 --a------ C:\Program Files\Common Files\qikal.bat
2008-02-13 16:04 . 2008-02-13 16:04 <DIR> d-------- C:\Documents and Settings\bback\Application Data\SystemRequirementsLab
2008-02-11 00:56 . 2008-02-11 00:56 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-10 23:05 . 2008-02-15 12:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 23:05 . 2008-02-15 14:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-10 21:42 . 2008-02-10 21:42 <DIR> d-------- C:\Documents and Settings\bback\Application Data\Grisoft
2008-02-10 21:42 . 2008-03-02 14:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-02-10 21:42 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-10 18:28 . 2008-02-10 18:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 18:26 . 2008-02-10 18:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avira
2008-02-10 17:30 . 2008-02-10 17:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-02-10 17:00 . 2008-02-14 10:20 274 --a-s---- C:\WINDOWS\system32\426552044.dat
2008-02-09 15:43 . 2008-02-09 15:43 <DIR> d-------- C:\Program Files\Activision
2008-02-06 14:34 . 2008-02-06 14:34 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 16:54 --------- d-----w C:\Documents and Settings\bback\Application Data\gtk-2.0
2008-03-05 16:02 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-04 01:59 --------- d-----w C:\Program Files\Steam
2008-03-03 18:51 --------- d-----w C:\Documents and Settings\bback\Application Data\Skype
2008-03-03 18:16 --------- d-----w C:\Documents and Settings\bback\Application Data\skypePM
2008-03-01 20:30 1,505,280 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-28 23:20 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-28 23:20 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-28 22:01 --------- d-----w C:\Program Files\TruthQuest Database 4.0 Folder
2008-02-24 18:41 1,477,120 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-21 05:10 1,436,672 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-14 19:31 19,992 ----a-w C:\WINDOWS\jenotybu.bat
2008-02-14 19:31 19,358 ----a-w C:\WINDOWS\ifukovuky.exe
2008-02-14 19:31 19,211 ----a-w C:\WINDOWS\xisyfej.dll
2008-02-14 19:31 18,778 ----a-w C:\Program Files\Common Files\eqaq.lib
2008-02-14 19:31 16,117 ----a-w C:\WINDOWS\pylo.scr
2008-02-14 19:31 13,418 ----a-w C:\WINDOWS\system32\uqoriwopig.scr
2008-02-14 19:31 13,289 ----a-w C:\WINDOWS\manyrobuh.scr
2008-02-14 19:31 12,998 ----a-w C:\WINDOWS\obasubuf.sys
2008-02-14 19:31 12,664 ----a-w C:\WINDOWS\sedycofip.scr
2008-02-14 19:31 12,096 ----a-w C:\Program Files\Common Files\lyhyhyk.dl
2008-02-14 19:31 10,729 ----a-w C:\Program Files\Common Files\jozycokik._sy
2008-02-14 19:31 10,654 ----a-w C:\WINDOWS\onewacaz.reg
2008-02-14 16:21 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-02-14 06:05 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2008-02-13 22:04 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-02-09 22:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 22:10 22,328 ----a-w C:\Documents and Settings\bback\Application Data\PnkBstrK.sys
2008-01-27 14:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-27 14:10 --------- d-----w C:\Documents and Settings\bback\Application Data\FileMaker
2008-01-22 15:35 --------- d-----w C:\Program Files\Winamp
2008-01-15 21:18 --------- d-----w C:\Documents and Settings\bback\Application Data\InstallShield
2008-01-12 01:05 32 ----a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\ezsid.dat
2008-01-12 01:03 --------- d-----w C:\Program Files\Skype
2008-01-12 01:03 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-12 01:03 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2008-01-11 03:35 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-10 17:58 --------- d-----w C:\Documents and Settings\bback\Application Data\Winamp
2008-01-07 05:56 --------- d-----w C:\Documents and Settings\bback\Application Data\Bioshock
2008-01-07 04:58 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
.

------- Sigcheck -------

ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys
----a-w 360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 359,040 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
-c----w 359,808 2006-04-20 11:51:50 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
-c--a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-12-16 02:19 98304]
"nwiz"="nwiz.exe" [2005-11-24 02:28 1519616 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 16:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 00:23 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 00:23 688218]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 10:27 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 10:31 356352]
"Power_Gear"="C:\Program Files\Generic\Power4 Gear\BatteryLife.exe" [2004-09-21 15:55 81920]
"RemoteControl"="C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 09:24 86016 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 14:32 2807808 C:\WINDOWS\ALCWZRD.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 17:52 849280]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-24 02:28 7335936]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-02 14:23 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-02 14:21 219136]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Generic ChkMail.lnk - C:\Program Files\Generic\Generic ChkMail\ChkMail.exe [2007-11-19 18:50:28 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 10:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2004-05-17 15:11]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 13:54:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
.
**************************************************************************
.
Completion time: 2008-03-05 13:57:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-05 19:57:39
ComboFix2.txt 2008-03-03 21:37:40
ComboFix3.txt 2008-02-21 17:59:59
.
2008-02-14 06:06:17 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:02, on 2008-03-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Generic\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Generic ChkMail.lnk = C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\Software\..\Telephony: DomainName = Freshwater.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = Freshwater.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7143 bytes

#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:06 AM

Posted 06 March 2008 - 12:13 AM

Hey goofed up,

Since you used ComboFix previous to my instructions and you are showing some files and entries that suggest you where / are heavily infected, please post the following log before we can continue: C:\ComboFix2.txt. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 goofed up

goofed up
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 06 March 2008 - 10:35 AM

Here is the only Combofix2.txt I could find, it was under qoobox. I got onto the Lavasoft forums to try to get help, but no one responded. I also tried here. I waited a couple days then figured I was on my own. So, I tried every antivirus/spy destroyer/rootkit eliminator I could find. I let combofix run but never gave it a CFscript. I figured worse case senario I was formating and starting from scratch. Hope I didn't hose the thing up more.

ComboFix 08-03-03.4 - bback 2008-03-02 15:32:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1456 [GMT -6:00]Running from: C:\Documents and Settings\bback\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 14:21 . 2008-03-02 14:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-02 14:21 . 2008-03-02 14:25 <DIR> d-------- C:\Documents and Settings\bback\Application Data\AVG7
2008-03-02 14:21 . 2008-03-02 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7
2008-03-02 14:21 . 2008-03-02 14:21 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-02 14:21 . 2008-03-02 14:21 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-01 15:13 . 2008-03-01 15:13 <DIR> d-------- C:\Deckard
2008-03-01 15:00 . 2008-03-01 15:04 3,072 --a------ C:\WINDOWS\system32\drivers\kgpfr.cfg
2008-03-01 14:52 . 2008-03-01 14:52 <DIR> d-------- C:\Program Files\Sun
2008-03-01 14:52 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-01 14:49 . 2008-03-01 14:52 <DIR> d-------- C:\Program Files\Java
2008-02-29 09:24 . 2008-03-01 15:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 09:24 . 2008-02-29 09:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-23 13:52 . 2008-02-23 13:52 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-22 20:33 . 2008-02-22 20:33 <DIR> d-------- C:\Documents and Settings\bback\Application Data\Move Networks
2008-02-22 09:43 . 2008-02-22 09:43 <DIR> d-------- C:\VundoFix Backups
2008-02-19 16:21 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-19 16:21 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-15 22:04 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-02-15 22:02 . 2008-02-15 22:01 8,576 --a------ C:\WINDOWS\system32\drivers\lujabmgmrwwp.sys
2008-02-15 14:09 . 2008-03-03 15:36 4,771,872 --a------ C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-15 14:09 . 2008-03-01 16:50 29,732 --a------ C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-15 12:57 . 2008-02-15 12:57 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-15 10:44 . 2008-02-15 10:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-15 10:43 . 2008-02-15 10:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 20:00 . 2008-02-14 20:00 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-14 20:00 . 2008-02-14 20:00 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-14 19:45 . 2008-02-14 19:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2008-02-14 19:45 . 2008-02-15 13:37 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-14 19:44 . 2008-02-15 12:57 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-14 19:44 . 2008-03-02 15:28 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-14 15:17 . 2008-03-01 12:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SITEguard
2008-02-14 15:14 . 2008-02-14 15:14 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-14 15:14 . 2008-03-01 15:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2008-02-14 14:06 . 2008-02-14 14:06 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-14 14:05 . 2008-02-14 14:10 <DIR> d-------- C:\Documents and Settings\bback\.housecall6.6
2008-02-14 13:31 . 2008-02-14 13:31 18,738 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\gupiw.dat
2008-02-14 13:31 . 2008-02-14 13:31 18,479 --a------ C:\Program Files\Common Files\etodemukap.pif
2008-02-14 13:31 . 2008-02-14 13:31 18,201 --a------ C:\Documents and Settings\bback\Application Data\exozovahu.exe
2008-02-14 13:31 . 2008-02-14 13:31 16,292 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\ugulykav.sys
2008-02-14 13:31 . 2008-02-14 13:31 16,183 --a------ C:\Documents and Settings\bback\Application Data\operox.bin
2008-02-14 13:31 . 2008-02-14 13:31 15,242 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\isediciv.exe
2008-02-14 13:31 . 2008-02-14 13:31 14,558 --a------ C:\Program Files\Common Files\ofebu.exe
2008-02-14 13:31 . 2008-02-14 13:31 14,521 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\aqityfi.reg
2008-02-14 13:31 . 2008-02-14 13:31 13,954 --a------ C:\Documents and Settings\bback\Application Data\ihuv.com
2008-02-14 13:31 . 2008-02-14 13:31 13,065 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\getaqi.com
2008-02-14 13:31 . 2008-02-14 13:31 11,951 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\qewypizoj.dat
2008-02-14 13:31 . 2008-02-14 13:31 11,748 --a------ C:\Program Files\Common Files\qikal.bat
2008-02-13 16:04 . 2008-02-13 16:04 <DIR> d-------- C:\Documents and Settings\bback\Application Data\SystemRequirementsLab
2008-02-11 00:56 . 2008-02-11 00:56 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-10 23:05 . 2008-02-15 12:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 23:05 . 2008-02-15 14:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-10 21:42 . 2008-02-10 21:42 <DIR> d-------- C:\Documents and Settings\bback\Application Data\Grisoft
2008-02-10 21:42 . 2008-03-02 14:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-02-10 21:42 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-10 18:28 . 2008-02-10 18:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 18:26 . 2008-02-10 18:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avira
2008-02-10 17:30 . 2008-02-10 17:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-02-10 17:00 . 2008-02-14 10:20 274 --a-s---- C:\WINDOWS\system32\426552044.dat
2008-02-09 15:43 . 2008-02-09 15:43 <DIR> d-------- C:\Program Files\Activision
2008-02-06 14:34 . 2008-02-06 14:34 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 15:08 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-01 20:30 1,505,280 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-28 23:20 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-28 23:20 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-28 22:01 --------- d-----w C:\Program Files\TruthQuest Database 4.0 Folder
2008-02-25 22:49 --------- d-----w C:\Program Files\Steam
2008-02-24 18:41 1,477,120 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-21 05:10 1,436,672 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-14 19:31 19,992 ----a-w C:\WINDOWS\jenotybu.bat
2008-02-14 19:31 19,358 ----a-w C:\WINDOWS\ifukovuky.exe
2008-02-14 19:31 19,211 ----a-w C:\WINDOWS\xisyfej.dll
2008-02-14 19:31 18,778 ----a-w C:\Program Files\Common Files\eqaq.lib
2008-02-14 19:31 16,117 ----a-w C:\WINDOWS\pylo.scr
2008-02-14 19:31 13,418 ----a-w C:\WINDOWS\system32\uqoriwopig.scr
2008-02-14 19:31 13,289 ----a-w C:\WINDOWS\manyrobuh.scr
2008-02-14 19:31 12,998 ----a-w C:\WINDOWS\obasubuf.sys
2008-02-14 19:31 12,664 ----a-w C:\WINDOWS\sedycofip.scr
2008-02-14 19:31 12,096 ----a-w C:\Program Files\Common Files\lyhyhyk.dl
2008-02-14 19:31 10,729 ----a-w C:\Program Files\Common Files\jozycokik._sy
2008-02-14 19:31 10,654 ----a-w C:\WINDOWS\onewacaz.reg
2008-02-14 16:21 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-02-14 06:05 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2008-02-13 22:04 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-02-09 22:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 22:10 22,328 ----a-w C:\Documents and Settings\bback\Application Data\PnkBstrK.sys
2008-01-31 21:46 --------- d-----w C:\Documents and Settings\bback\Application Data\gtk-2.0
2008-01-27 14:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-27 14:10 --------- d-----w C:\Documents and Settings\bback\Application Data\FileMaker
2008-01-22 15:35 --------- d-----w C:\Program Files\Winamp
2008-01-15 21:18 --------- d-----w C:\Documents and Settings\bback\Application Data\InstallShield
2008-01-12 16:31 --------- d-----w C:\Documents and Settings\bback\Application Data\Skype
2008-01-12 01:05 32 ----a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\ezsid.dat
2008-01-12 01:05 --------- d-----w C:\Documents and Settings\bback\Application Data\skypePM
2008-01-12 01:03 --------- d-----w C:\Program Files\Skype
2008-01-12 01:03 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-12 01:03 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2008-01-11 03:35 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-10 17:58 --------- d-----w C:\Documents and Settings\bback\Application Data\Winamp
2008-01-07 05:56 --------- d-----w C:\Documents and Settings\bback\Application Data\Bioshock
2008-01-07 04:58 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.

------- Sigcheck -------

ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys
----a-w 360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 359,040 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
-c----w 359,808 2006-04-20 11:51:50 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
-c--a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-12-16 02:19 98304]
"nwiz"="nwiz.exe" [2005-11-24 02:28 1519616 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 16:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 00:23 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 00:23 688218]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 10:27 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 10:31 356352]
"Power_Gear"="C:\Program Files\Generic\Power4 Gear\BatteryLife.exe" [2004-09-21 15:55 81920]
"RemoteControl"="C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 09:24 86016 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 14:32 2807808 C:\WINDOWS\ALCWZRD.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 17:52 849280]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-24 02:28 7335936]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-02 14:23 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-02 14:21 219136]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Generic ChkMail.lnk - C:\Program Files\Generic\Generic ChkMail\ChkMail.exe [2007-11-19 18:50:28 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 10:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2004-05-17 15:11]
S1 4fdw;4fdw;C:\WINDOWS\system32\4fdw.dll []
S1 krnllds;Kernel CryptoModule;C:\WINDOWS\system32\krnllds.sys []
S2 CiSvcSENS;Indexing Service CiSvcSENS;C:\WINDOWS\system32\ahuih.exe []
S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe []

*Newly Created Service* - AVG7ALRT
*Newly Created Service* - AVG7CORE
*Newly Created Service* - AVG7RSW
*Newly Created Service* - AVG7RSXP
*Newly Created Service* - AVG7UPDSVC
*Newly Created Service* - AVGCLEAN
*Newly Created Service* - AVGEMS
*Newly Created Service* - AVGTDI
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 15:36:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\FFI]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe"
.
Completion time: 2008-03-03 15:37:38
ComboFix-quarantined-files.txt 2008-03-03 21:37:32
ComboFix2.txt 2008-02-21 17:59:59
.
2008-02-14 06:06:17 --- E O F ---

#13 goofed up

goofed up
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 06 March 2008 - 10:39 AM

How about a combofix3.txt too?

ComboFix 08-02-21 - bback 2008-02-21 11:56:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1462 [GMT -6:00]
Running from: C:\Documents and Settings\bback\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Local Settings\Application Data\n.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-20 12:22 . 2008-02-21 10:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-20 12:22 . 2008-02-20 12:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-19 21:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-19 21:48 . 2008-02-19 21:49 <DIR> d-------- C:\Program Files\Java
2008-02-19 21:45 . 2008-02-19 21:45 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-19 16:21 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-19 16:21 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-15 22:04 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-02-15 22:02 . 2008-02-15 22:01 8,576 --a------ C:\WINDOWS\system32\drivers\lujabmgmrwwp.sys
2008-02-15 14:09 . 2008-02-21 11:58 1,216,544 --a------ C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-15 14:09 . 2008-02-21 11:22 14,924 --a------ C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-15 12:57 . 2008-02-15 12:57 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-15 10:44 . 2008-02-15 10:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-15 10:43 . 2008-02-15 10:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 20:00 . 2008-02-14 20:00 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-14 20:00 . 2008-02-14 20:00 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-14 19:45 . 2008-02-14 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-14 19:45 . 2008-02-15 13:37 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-14 19:44 . 2008-02-15 12:57 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-14 19:44 . 2008-02-21 11:54 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-14 15:17 . 2008-02-21 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-14 15:14 . 2008-02-14 15:14 <DIR> d-------- C:\Program Files\STOPzilla!
2008-02-14 15:14 . 2008-02-14 15:14 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-14 15:14 . 2008-02-21 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-14 14:06 . 2008-02-14 14:06 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-14 14:05 . 2008-02-14 14:10 <DIR> d-------- C:\Documents and Settings\bback\.housecall6.6
2008-02-14 13:31 . 2008-02-14 13:31 18,738 --a------ C:\Documents and Settings\All Users\Application Data\gupiw.dat
2008-02-14 13:31 . 2008-02-14 13:31 18,479 --a------ C:\Program Files\Common Files\etodemukap.pif
2008-02-14 13:31 . 2008-02-14 13:31 18,201 --a------ C:\Documents and Settings\bback\Application Data\exozovahu.exe
2008-02-14 13:31 . 2008-02-14 13:31 16,292 --a------ C:\Documents and Settings\All Users\Application Data\ugulykav.sys
2008-02-14 13:31 . 2008-02-14 13:31 16,183 --a------ C:\Documents and Settings\bback\Application Data\operox.bin
2008-02-14 13:31 . 2008-02-14 13:31 15,242 --a------ C:\Documents and Settings\All Users\Application Data\isediciv.exe
2008-02-14 13:31 . 2008-02-14 13:31 14,558 --a------ C:\Program Files\Common Files\ofebu.exe
2008-02-14 13:31 . 2008-02-14 13:31 14,521 --a------ C:\Documents and Settings\All Users\Application Data\aqityfi.reg
2008-02-14 13:31 . 2008-02-14 13:31 13,954 --a------ C:\Documents and Settings\bback\Application Data\ihuv.com
2008-02-14 13:31 . 2008-02-14 13:31 13,065 --a------ C:\Documents and Settings\All Users\Application Data\getaqi.com
2008-02-14 13:31 . 2008-02-14 13:31 11,951 --a------ C:\Documents and Settings\All Users\Application Data\qewypizoj.dat
2008-02-14 13:31 . 2008-02-14 13:31 11,748 --a------ C:\Program Files\Common Files\qikal.bat
2008-02-13 16:04 . 2008-02-13 16:04 <DIR> d-------- C:\Documents and Settings\bback\Application Data\SystemRequirementsLab
2008-02-11 00:56 . 2008-02-11 00:56 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-10 23:05 . 2008-02-15 12:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 23:05 . 2008-02-15 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 21:42 . 2008-02-10 21:42 <DIR> d-------- C:\Documents and Settings\bback\Application Data\Grisoft
2008-02-10 21:42 . 2008-02-10 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 21:42 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-10 18:28 . 2008-02-10 18:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 18:26 . 2008-02-10 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-10 17:30 . 2008-02-10 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 17:00 . 2008-02-14 10:20 274 --a-s---- C:\WINDOWS\system32\426552044.dat
2008-02-09 15:43 . 2008-02-09 15:43 <DIR> d-------- C:\Program Files\Activision
2008-02-06 14:34 . 2008-02-06 14:34 <DIR> d-------- C:\Program Files\MSECache
2008-02-01 14:36 . 2008-02-01 14:36 229,376 -ra------ C:\WINDOWS\system32\SZBase5.dll
2008-01-31 12:16 . 2008-01-31 12:16 34,944 -ra------ C:\WINDOWS\system32\drivers\SZKG.sys
2008-01-30 17:53 . 2008-01-30 17:53 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2008-01-30 17:52 . 2008-01-30 17:52 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2008-01-30 17:52 . 2008-01-30 17:52 364,544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2008-01-30 17:52 . 2008-01-30 17:52 61,440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2008-01-30 17:51 . 2008-01-30 17:51 192,512 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2008-01-30 17:51 . 2008-01-30 17:51 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2008-01-30 17:50 . 2008-01-30 17:50 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2008-01-30 17:50 . 2008-01-30 17:50 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2008-01-30 17:47 . 2008-01-30 17:47 704,512 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2008-01-27 08:10 . 2008-01-27 08:10 <DIR> d-------- C:\WINDOWS\Profiles
2008-01-27 08:10 . 2008-01-27 08:10 <DIR> d-------- C:\Documents and Settings\bback\Application Data\FileMaker
2008-01-27 08:09 . 2008-02-19 16:43 <DIR> d-------- C:\Program Files\TruthQuest Database 4.0 Folder
2008-01-27 08:09 . 2008-01-27 08:09 <DIR> d-------- C:\Documents and Settings\bback\WINDOWS
2008-01-27 08:09 . 2008-01-27 08:09 152,120 --a------ C:\WINDOWS\TQLogo.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 15:29 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-21 05:10 1,436,672 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-21 03:49 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-21 03:49 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-20 01:07 --------- d-----w C:\Program Files\Steam
2008-02-14 19:31 19,992 ----a-w C:\WINDOWS\jenotybu.bat
2008-02-14 19:31 19,358 ----a-w C:\WINDOWS\ifukovuky.exe
2008-02-14 19:31 19,211 ----a-w C:\WINDOWS\xisyfej.dll
2008-02-14 19:31 18,778 ----a-w C:\Program Files\Common Files\eqaq.lib
2008-02-14 19:31 16,117 ----a-w C:\WINDOWS\pylo.scr
2008-02-14 19:31 13,418 ----a-w C:\WINDOWS\system32\uqoriwopig.scr
2008-02-14 19:31 13,289 ----a-w C:\WINDOWS\manyrobuh.scr
2008-02-14 19:31 12,998 ----a-w C:\WINDOWS\obasubuf.sys
2008-02-14 19:31 12,664 ----a-w C:\WINDOWS\sedycofip.scr
2008-02-14 19:31 12,096 ----a-w C:\Program Files\Common Files\lyhyhyk.dl
2008-02-14 19:31 10,729 ----a-w C:\Program Files\Common Files\jozycokik._sy
2008-02-14 19:31 10,654 ----a-w C:\WINDOWS\onewacaz.reg
2008-02-14 16:21 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-02-14 06:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-13 22:04 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-02-09 22:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 22:10 22,328 ----a-w C:\Documents and Settings\bback\Application Data\PnkBstrK.sys
2008-01-31 21:46 --------- d-----w C:\Documents and Settings\bback\Application Data\gtk-2.0
2008-01-27 14:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-22 15:35 --------- d-----w C:\Program Files\Winamp
2008-01-15 21:18 --------- d-----w C:\Documents and Settings\bback\Application Data\InstallShield
2008-01-12 16:31 --------- d-----w C:\Documents and Settings\bback\Application Data\Skype
2008-01-12 01:05 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-12 01:05 --------- d-----w C:\Documents and Settings\bback\Application Data\skypePM
2008-01-12 01:03 --------- d-----w C:\Program Files\Skype
2008-01-12 01:03 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-12 01:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-01-11 03:35 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-10 17:58 --------- d-----w C:\Documents and Settings\bback\Application Data\Winamp
2008-01-07 05:56 --------- d-----w C:\Documents and Settings\bback\Application Data\Bioshock
2008-01-07 04:58 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-31 20:06 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-31 20:06 --------- d-----w C:\Program Files\CrossVue
2007-12-23 21:47 --------- d-----w C:\Documents and Settings\bback\Application Data\Snapfish
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-29 21:14 73,216 ----a-w C:\WINDOWS\ODEUNST.EXE
2007-11-29 21:14 331,776 ------w C:\WINDOWS\Setup1.exe
2007-11-29 21:14 3,929 ----a-w C:\WINDOWS\SETUP.LST.tmp
2007-11-29 21:14 151,622 ------w C:\WINDOWS\modcas.dll
2007-11-29 21:14 101,888 ------w C:\WINDOWS\odestkit.dll
2007-11-29 21:14 1,386,496 ------w C:\WINDOWS\msvbvm60.dll
2007-11-29 00:09 81,920 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-11-26 05:43 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
.

------- Sigcheck -------

"C:\WINDOWS\system32\drivers\tcpip.sys"
----a-w 360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 359,040 2006-02-28 12:00:00 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
-c----w 359,808 2006-04-20 11:51:50 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
-c--a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-12-16 02:19 98304]
"nwiz"="nwiz.exe" [2005-11-24 02:28 1519616 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 16:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 00:23 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 00:23 688218]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 10:27 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 10:31 356352]
"Power_Gear"="C:\Program Files\Generic\Power4 Gear\BatteryLife.exe" [2004-09-21 15:55 81920]
"RemoteControl"="C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 09:24 86016 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 14:32 2807808 C:\WINDOWS\ALCWZRD.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 17:52 849280]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Generic ChkMail.lnk - C:\Program Files\Generic\Generic ChkMail\ChkMail.exe [2007-11-19 18:50:28 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 10:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2008-01-31 12:16]
S0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2004-05-17 15:11]
S1 4fdw;4fdw;C:\WINDOWS\system32\4fdw.dll []
S1 krnllds;Kernel CryptoModule;C:\WINDOWS\system32\krnllds.sys []
S2 CiSvcSENS;Indexing Service CiSvcSENS;C:\WINDOWS\system32\ahuih.exe srv []
S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 11:58:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\FFI]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe"
.
Completion time: 2008-02-21 11:59:57
ComboFix-quarantined-files.txt 2008-02-21 17:59:53
.
2008-02-14 06:06:17 --- E O F ---

#14 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:06 AM

Posted 08 March 2008 - 02:56 AM

Hey goofed up,

sorry for the delay.

I got onto the Lavasoft forums to try to get help, but no one responded.

They are probably just as busy as we are and therefore I would appreciated if you could let them know that you are getting help here, before they spend time analysing your log instead of someone else's who has also problems with the pc.

Using ComboFix on your own is not suggested as you can severaly goof up your machine (no pun intended).

Step #1

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #2

Please post back with the Kaspersky Online scan and a fresh HijackThis log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#15 goofed up

goofed up
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 08 March 2008 - 12:36 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-03-08 11:33 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/03/2008
Kaspersky Anti-Virus database records: 614012
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
S:\
X:\

Scan Statistics:
Total number of scanned objects: 88399
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:28:37

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\bback\.housecall6.6\Quarantine\worsock.dll.bac_a04012 Infected: Trojan-PSW.Win32.Agent.yt skipped
C:\Documents and Settings\bback\Application Data\Mozilla\Firefox\Profiles\bal944s5.default\cert8.db Object is locked skipped
C:\Documents and Settings\bback\Application Data\Mozilla\Firefox\Profiles\bal944s5.default\history.dat Object is locked skipped
C:\Documents and Settings\bback\Application Data\Mozilla\Firefox\Profiles\bal944s5.default\key3.db Object is locked skipped
C:\Documents and Settings\bback\Application Data\Mozilla\Firefox\Profiles\bal944s5.default\parent.lock Object is locked skipped
C:\Documents and Settings\bback\Application Data\Mozilla\Firefox\Profiles\bal944s5.default\search.sqlite Object is locked skipped
C:\Documents and Settings\bback\Application Data\Mozilla\Firefox\Profiles\bal944s5.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\bback\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\bback\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\bback\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\bback\Local Settings\Application Data\Mozilla\Firefox\Profiles\bal944s5.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\bback\Local Settings\Application Data\Mozilla\Firefox\Profiles\bal944s5.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\bback\Local Settings\Application Data\Mozilla\Firefox\Profiles\bal944s5.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\bback\Local Settings\Application Data\Mozilla\Firefox\Profiles\bal944s5.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\bback\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\bback\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\bback\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\bback\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\bback\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7E49355D-994B-4037-A5BF-0B81F7B25E85}\RP118\change.log Object is locked skipped
C:\System Volume Information\_restore{7E49355D-994B-4037-A5BF-0B81F7B25E85}\RP99\A0047951.exe Object is locked skipped
C:\System Volume Information\_restore{7E49355D-994B-4037-A5BF-0B81F7B25E85}\RP99\A0047952.exe Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34 AM, on 3/8/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Generic\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Generic ChkMail.lnk = C:\Program Files\Generic\Generic ChkMail\ChkMail.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\Software\..\Telephony: DomainName = Freshwater.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Freshwater.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = Freshwater.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7259 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users