Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bagle Prob


  • This topic is locked This topic is locked
2 replies to this topic

#1 Grain

Grain

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 05 April 2008 - 02:18 PM

Hi all. Been recommended you guys by a friend. I'm afraid I am a software addict and not really up on systems etc...

Anyway, opened a file that I should not have apparently and thus the probs began. When my 3d software failed I rebooted and had the 'windows defender not working' message appear. Ran my spyware progs and the message 'not a valid win.32' msg appeared for each attempt at running. Uninstalled and try to re-install and nothing. Tried to run spybot in safe mode but PC wold not allow safe mode. Tried to install HiJackThis but again the 'not a valid win.32' msg popped up. More and more applications became corrupt and unusable. Finally I lost my internet and ran my windows install disk again. Internet has returned now but all the other symptons still there. Tried to re-install avg but no joy.

Then I ran safeboot and was able to boot up in safe mode. Ran a microsoft prog to remove malicious spyware and it picked up on Bagle and said it had removed but things not improved.

The tools I have are as follows :

Spybot search and destroy (unable to install because of the 'not a valid win.32 file')

Adaware

SmitFraudFix

Ccleaner ( i try to run and it appears for a millisecond before vanishing.)

AVG free (cannot install...'not valid win etc...)

AVG rootkit (ran in safe mode all clear)

DSS (deckards scanner) This ran ok and managed to get HiJackThis to install when it wouldn't for me because of the 'not a valid' message. Got a log thanks to this baby.

Windows-KB890830-V1.39 (the microsoft jobbie)

Combofix (no idea what this does)

HiJackThis (it works but I am a bit green regarding knowledge of this seemingly wonderful prog)

Zone Alarm (not installed as yet..am familiar with this)

BullGuard (came with the PC)

Here are the logs from HiJack and Kasper online scan.

Any ideas or help would be appreciated. If I have missed anything I apologise. Like I say...I love to use the software but am a complete monkey when it comes to systems/OS work.



Deckard's System Scanner v20071014.68
Run by Andy on 2008-04-05 17:45:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-04-05 16:45:34 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-04-05 16:38:58 UTC - RP3 - Installed AVG 7.5
2: 2008-04-05 14:18:37 UTC - RP2 - Installed AVG 7.5
1: 2008-04-05 14:06:37 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Andy.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:47:03, on 05/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\DeltTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\AOL Companion\companion.exe
C:\Documents and Settings\Andy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Andy.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageEnterpriseServer\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageEnterpriseServer\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197636763453
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\\aolserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc - BullGuard - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9218 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>
R0 timounter (Acronis True Image Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R1 AvgClean (AVG7 Clean Driver) - c:\windows\system32\drivers\avgclean.sys (file missing)
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 P1C1394 (Phase One 1394 Camera Driver) - c:\windows\system32\drivers\p1c1394.sys <Not Verified; Phase One A/S; Phase One digital imaging>
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>
R3 DELTA (Service for Delta Driver (WDM)) - c:\windows\system32\drivers\delta.sys <Not Verified; Midiman/M-Audio; M-Audio Delta WDM Driver>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S1 srosa (Megadrv3) - c:\windows\system32\drivers\srosa.sys
S3 ADIHdAudAddService (ADI UAA Function Driver for High Definition Audio Service) - c:\windows\system32\drivers\adihdaud.sys (file missing)
S3 AEAudio (AE Audio Service) - c:\windows\system32\drivers\aeaudio.sys (file missing)
S3 afw (BullGuard Firewall Driver) - c:\windows\system32\drivers\afw.sys (file missing)
S3 PPPoEWin (PPPoEWin Miniport) - c:\windows\system32\drivers\pppoewin.sys (file missing)
S3 SenFiltService (SenFilt Service) - c:\windows\system32\drivers\senfilt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcrSch2Svc (Acronis Scheduler2 Service) - "c:\program files\common files\acronis\schedule2\schedul2.exe" <Not Verified; Acronis; Acronis Scheduler 2>
R2 Autodesk Licensing Service - "c:\program files\common files\autodesk shared\service\adskscsrv.exe" <Not Verified; Autodesk; Autodesk Licensing Service>
R2 mi-raysat_3dsmax8 (RaySat_3dsmax8 Server) - "c:\program files\autodesk\3dsmax8\mentalray\satellite\raysat_3dsmax8server.exe"
R3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>

S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe
S2 BgLiveSvc (BullGuard LiveUpdate) - "c:\program files\bullguard ltd\bullguard\bullguardupdate.exe" <Not Verified; BullGuard Ltd.; BullGuard>
S2 mi-raysat_3dsmax9_32 (mental ray 3.5 Satellite (32-bit)) - "c:\program files\autodesk\3ds max 9\mentalray\satellite\raysat_3dsmax9_32server.exe"
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_11D4&DEV_198B&SUBSYS_1043829B&REV_1004\4&B3DDC6A&0&0001
Manufacturer:
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_11D4&DEV_198B&SUBSYS_1043829B&REV_1004\4&B3DDC6A&0&0001
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: BullGuard Firewall Miniport
Device ID: ROOT\AGTM_AFW_MP\0000
Manufacturer: BullGuard
Name: Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter - BullGuard Firewall Miniport
PNP Device ID: ROOT\AGTM_AFW_MP\0000
Service: afw

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: BullGuard Firewall Miniport
Device ID: ROOT\AGTM_AFW_MP\0001
Manufacturer: BullGuard
Name: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller - BullGuard Firewall Miniport
PNP Device ID: ROOT\AGTM_AFW_MP\0001
Service: afw

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: BullGuard Firewall Miniport
Device ID: ROOT\AGTM_AFW_MP\0002
Manufacturer: BullGuard
Name: WAN Miniport (IP) - BullGuard Firewall Miniport
PNP Device ID: ROOT\AGTM_AFW_MP\0002
Service: afw


-- Scheduled Tasks -------------------------------------------------------------

2008-04-05 02:14:00 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-03-05 and 2008-04-05 -----------------------------

2008-04-05 17:46:54 0 d-------- C:\Program Files\Trend Micro
2008-04-05 17:17:26 96154 --a------ C:\WINDOWS\system32\drivers\srosa.sys
2008-04-05 16:59:28 3864 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-05 16:55:11 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-05 16:55:11 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-05 16:55:11 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-05 16:55:11 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-05 16:55:11 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-05 16:55:10 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-05 16:55:10 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-05 16:55:10 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-05 16:55:10 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-05 16:55:10 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-05 16:55:10 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-05 16:55:10 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-05 16:55:10 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-05 16:55:10 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-05 15:39:17 0 d-------- C:\WINDOWS\BDOSCAN8
2008-04-05 15:37:47 0 dr-h----- C:\Documents and Settings\Andy\Recent
2008-04-05 15:35:49 0 d-------- C:\Program Files\CCleaner
2008-04-05 15:27:19 0 d-------- C:\fsaua.data
2008-04-05 15:03:15 0 d-------- C:\WINDOWS\Prefetch
2008-04-05 14:28:58 0 d-------- C:\WINDOWS\setup.pss
2008-04-05 08:08:59 0 d-------- C:\Program Files\Support Tools
2008-04-04 15:33:10 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-04 15:32:45 0 d-------- C:\WINDOWS\Internet Logs
2008-04-04 15:29:30 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-04 12:33:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-04 01:40:01 688128 -----n--- C:\WINDOWS\system32\drivers\hldrrr.exe
2008-04-04 01:39:54 688128 --a------ C:\WINDOWS\system32\drivers\mdelk.exe
2008-04-04 01:34:22 0 d-------- C:\WINDOWS\system32\drivers\downld
2008-04-03 19:53:44 0 d-------- C:\Program Files\Apophysis 2.0
2008-04-03 18:20:20 0 d-------- C:\Documents and Settings\Andy\Application Data\Planetside Software
2008-04-03 18:20:07 0 d-------- C:\Program Files\Planetside Software
2008-04-03 16:53:53 0 d-------- C:\Documents and Settings\Andy\Application Data\uk.co.planetside
2008-04-03 16:50:33 0 d-------- C:\Program Files\Terragen
2008-04-03 13:29:12 0 d-------- C:\Program Files\Burrrn
2008-04-03 13:19:37 0 d-------- C:\Program Files\Winamp
2008-04-02 20:05:59 0 d-------- C:\Program Files\DAZ
2008-04-02 20:05:57 0 d-------- C:\Program Files\Common Files\DAZ
2008-03-24 12:29:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-24 12:25:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 18:36:18 0 d-------- C:\Program Files\Easy-Hide-IP
2008-03-22 18:10:35 0 d-------- C:\Program Files\SurfAnonymous
2008-03-10 21:55:10 0 d-------- C:\Program Files\MSXML 4.0
2008-03-06 20:29:56 0 dr-hs---- C:\Volume Information
2008-03-06 20:29:12 0 d-------- C:\WINDOWS\Instant Lock
2008-03-06 20:29:12 0 d-------- C:\Program Files\Instant Lock
2008-03-06 20:22:29 0 d-------- C:\Program Files\Folder Password Expert
2008-03-06 19:56:40 0 d-------- C:\Program Files\DownloadToolz
2008-03-05 12:38:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Google


-- Find3M Report ---------------------------------------------------------------

2008-04-05 14:57:02 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-04 13:32:19 0 d-------- C:\Program Files\Google
2008-04-04 09:31:10 0 d-------- C:\Documents and Settings\Andy\Application Data\uTorrent
2008-04-04 07:53:10 0 d-------- C:\Program Files\eMule
2008-04-04 01:35:42 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-03 18:02:07 0 d-------- C:\Documents and Settings\Andy\Application Data\Vso
2008-04-02 20:05:57 0 d-------- C:\Program Files\Common Files
2008-03-30 16:08:29 0 d-------- C:\Program Files\Autodesk
2008-03-30 16:08:11 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-28 07:03:28 0 d-------- C:\Program Files\uTorrent
2008-03-27 16:16:48 0 d-------- C:\Documents and Settings\Andy\Application Data\BullGuard
2008-03-25 07:51:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-10 13:23:31 0 d-------- C:\Documents and Settings\Andy\Application Data\Adobe
2008-03-05 15:30:28 0 d-------- C:\Documents and Settings\Andy\Application Data\Google
2008-03-04 15:09:37 0 d-------- C:\Program Files\Samsung
2008-03-01 20:24:47 0 d-------- C:\Program Files\Messenger
2008-03-01 20:24:47 0 d-------- C:\Program Files\DivX
2008-03-01 20:24:46 0 d-------- C:\Program Files\ASUS WiFi-AP Solo
2008-03-01 20:24:46 0 d-------- C:\Program Files\AOL Toolbar
2008-03-01 20:24:46 0 d-------- C:\Program Files\AOL 9.0
2008-03-01 20:24:45 0 d-------- C:\Program Files\Router Screenshot Grabber
2008-03-01 20:24:45 0 d-------- C:\Program Files\Photomatix
2008-03-01 09:17:48 0 d-------- C:\Program Files\Yahoo!
2008-03-01 09:14:53 0 d-------- C:\Program Files\AC3Filter
2008-02-29 18:25:12 34 --a------ C:\Documents and Settings\Andy\Application Data\pcouffin.log
2008-02-29 18:25:09 47360 --a------ C:\Documents and Settings\Andy\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-02-29 18:25:09 1144 --a------ C:\Documents and Settings\Andy\Application Data\pcouffin.inf
2008-02-29 18:25:09 1074 --a------ C:\Documents and Settings\Andy\Application Data\pcouffin.cat
2008-02-29 18:25:06 0 d-------- C:\Program Files\vso
2008-02-28 16:30:32 0 d-------- C:\Documents and Settings\Andy\Application Data\Yahoo!
2008-02-28 16:30:26 0 d-------- C:\Documents and Settings\Andy\Application Data\DivX
2008-02-28 16:28:30 0 d-------- C:\Documents and Settings\Andy\Application Data\CyberLink
2008-02-28 16:03:49 0 d-------- C:\Program Files\CDBurnerXP
2008-02-23 23:37:31 0 d-------- C:\Program Files\JPEGJape
2008-02-23 23:36:47 0 d-------- C:\Program Files\Common Files\aol
2008-02-23 23:35:46 0 d-------- C:\Program Files\Samsung(2)
2008-02-23 23:35:45 0 d-------- C:\Program Files\BitPim
2008-02-23 23:34:35 0 d-------- C:\Program Files\RegScrubXP
2008-02-23 19:59:13 0 d-------- C:\Program Files\Lavasoft
2008-02-22 17:00:16 0 d-------- C:\Documents and Settings\Andy\Application Data\Quark
2008-02-22 16:59:43 0 d-------- C:\Program Files\Quark
2008-02-09 09:35:43 0 d-------- C:\Documents and Settings\Andy\Application Data\RSG(2)
2008-01-09 15:01:48 53248 --a------ C:\WINDOWS\bdoscandel.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [20/03/2007 07:36]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [21/03/2007 09:23]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [28/06/2007 17:43]
"nwiz"="nwiz.exe" [28/06/2007 17:43 C:\WINDOWS\system32\nwiz.exe]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [05/04/2008 16:52]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [02/11/2004 21:24]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" []
"Phase One Media Reader"="C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe" [24/04/2007 21:31]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageEnterpriseServer\TrueImageMonitor.exe" [17/03/2006 13:01]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageEnterpriseServer\TimounterMonitor.exe" [17/03/2006 13:09]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [17/03/2006 13:03]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [08/04/2004 09:38]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [23/12/2007 12:02]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [23/12/2007 12:02]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe" [18/10/2004 17:42]
"DeltTray"="DeltTray.exe" [10/12/2003 02:53 C:\WINDOWS\system32\delttray.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [28/06/2007 17:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 13:00]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [05/04/2008 16:52]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [23/12/2006 19:05]
"drvsyskit"="C:\WINDOWS\system32\drivers\hldrrr.exe" [23/06/2004 06:01]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [04/04/2008 13:42]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Andy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 20:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [23/12/2007 12:01:48]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [23/12/2007 12:03:15]
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [14/12/2007 13:31:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard BgMainSvc BsFileScan BsMailProxy BsFire

*Newly Created Service* - AVGARCLN
*Newly Created Service* - AVG_ANTI-ROOTKIT
*Newly Created Service* - SJYPKT



-- End of Deckard's System Scanner: finished at 2008-04-05 17:47:24 ------------




Kasper Scan


KASPERSKY ONLINE SCANNER REPORT
Saturday, April 05, 2008 7:53:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/04/2008
Kaspersky Anti-Virus database records: 684963


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
G:\

Scan Statistics
Total number of scanned objects 68605
Number of viruses found 3
Number of infected objects 6
Number of suspicious objects 0
Duration of the scan process 01:07:02

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped

C:\Documents and Settings\All Users\Application Data\BullGuard\BsFileScan.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\BullGuard\BsFire.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\BullGuard\Logs\OnAccess.log Object is locked skipped

C:\Documents and Settings\Andy\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Andy\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Andy\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Andy\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Andy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Andy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Andy\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Andy\Local Settings\History\History.IE5\MSHist012008040520080406\index.dat Object is locked skipped

C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Andy\My Documents\prog rar files\dvd_player_morpher.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped

C:\Documents and Settings\Andy\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Andy\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{5E59E363-9DCA-43A8-AE4B-FCD783DA9B70}\RP2\A0000338.sys Object is locked skipped

C:\System Volume Information\_restore{5E59E363-9DCA-43A8-AE4B-FCD783DA9B70}\RP4\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\RTacDbg.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.mn skipped

C:\WINDOWS\system32\drivers\mdelk.exe Infected: Trojan-Downloader.Win32.Bagle.mn skipped

C:\WINDOWS\system32\drivers\srosa.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\tmp000061c7\tmp00000000 Object is locked skipped

G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

G:\System Volume Information\_restore{5E59E363-9DCA-43A8-AE4B-FCD783DA9B70}\RP4\change.log Object is locked skipped

Scan process completed.

BC AdBot (Login to Remove)

 


m

#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:35 PM

Posted 17 April 2008 - 06:50 AM

Hello and welcome to BC. :thumbsup:

Apologies for the long delay in response. This is a very nasty infection. If you are still having a problem, and want us to help you, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

Thank you for your patience.

#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:35 PM

Posted 20 April 2008 - 02:58 PM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users