Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tojan/spyware/virus Detected By Ad-aware And Spybot, But Not Removed


  • Please log in to reply
18 replies to this topic

#1 borat

borat

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 14 April 2008 - 10:45 PM

Hello.
As i say, spybot, and also ad-aware detect a virus/spyware/trojan not sure wich, but it cant remove it, even if it does a scan on start-up. here is the spybot report on the trouble: note the second problem in the list was unable to be fixed. :

--- Search result list ---
Win32.Agent.pz: [SBI $B40811A5] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=...C:\WINDOWS\system32\ntos.exe,...

Win32.Agent.pz: [SBI $3889C81D] Program directory (Directory, fixing failed)
C:\WINDOWS\system32\wsnpoem\

Win32.Agent.pz: [SBI $D372DFBA] Library (File, fixed)
C:\WINDOWS\system32\wsnpoem\video.dll

Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.pz: [SBI $0F1C75F7] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID

Recently, I installed and uninstalled sofware called 'ghost dvd' but when i uninstalled it ( i didnt uninstall it from the add/remove list, i found it on the 'all programmes list' and uninstalled from there.) but the programme still started up when i restarted. So i did a search for anything related to 'ghost dvd' and just deleted the files i found. I mention this just in case it has anything to do with the problem. ok.. heres the hijack this/ dss log. :

Deckard's System Scanner v20071014.68
Run by Russ on 2008-04-15 00:02:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Russ.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:03:00, on 15/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Russ\My Documents\Downloads\Programs\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Russ.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [workflow] D:\installs\workflow.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ACQTMOUSE] "C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 10676 bytes

-- Files created between 2008-03-15 and 2008-04-15 -----------------------------

2008-04-15 00:02:44 0 d-------- C:\Program Files\Trend Micro
2008-04-14 21:49:51 0 dr-h----- C:\Documents and Settings\Russ\Recent
2008-04-11 13:49:59 0 d-------- C:\FLIGHT_OF_FURY
2008-04-10 10:59:54 0 d-------- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-04-10 10:45:37 14 --a------ C:\WINDOWS\system32\SysEngine2.SYS
2008-04-10 00:31:42 14 --a------ C:\WINDOWS\system32\systeminfo3.dll
2008-04-10 00:31:33 0 d-------- C:\Program Files\CloneDVD
2008-04-10 00:31:33 0 d-------- C:\Documents and Settings\All Users\Application Data\DVDXStudio
2008-04-10 00:15:47 0 d-------- C:\Program Files\DVDFab
2008-04-10 00:11:06 0 d-------- C:\Documents and Settings\Russ\Application Data\SlySoft
2008-04-10 00:09:56 0 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-04-10 00:07:30 0 d-------- C:\Program Files\SlySoft
2008-04-10 00:01:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-04-09 23:57:24 0 d-------- C:\Program Files\Elaborate Bytes
2008-04-07 11:54:46 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-07 11:54:46 2549 --a------ C:\WINDOWS\unins000.dat
2008-04-06 12:00:34 283648 --a------ C:\WINDOWS\uninst.exe <Not Verified; Stirling Technologies, Inc.; InstallShield Deinstaller>
2008-04-05 17:55:56 0 d-------- C:\Program Files\War Chess
2008-04-05 17:55:45 0 d-------- C:\Program Files\ReflexiveArcade
2008-04-04 23:31:43 0 d-------- C:\Program Files\Multi-Direction Opitcal Mouse
2008-04-02 23:19:16 0 d-------- C:\Program Files\Safari
2008-04-02 23:15:32 0 d-------- C:\Program Files\iPod
2008-04-02 23:15:26 0 d-------- C:\Program Files\iTunes
2008-04-02 23:14:16 0 d-------- C:\Program Files\QuickTime
2008-03-24 22:45:58 0 d-------- C:\Program Files\Paltalk Messenger Interop
2008-03-23 22:40:22 0 d-------- C:\Documents and Settings\Russ\Application Data\Paltalk
2008-03-23 22:40:19 0 d-------- C:\WINDOWS\PaltalkScene
2008-03-23 22:40:19 0 d-------- C:\Program Files\Paltalk Messenger


-- Find3M Report ---------------------------------------------------------------

2008-04-14 22:58:34 0 d-------- C:\Documents and Settings\Russ\Application Data\DMCache
2008-04-14 16:05:22 0 d-------- C:\Documents and Settings\Russ\Application Data\Vso
2008-04-10 11:10:13 33 --a------ C:\Documents and Settings\Russ\Application Data\pcouffin.log
2008-04-10 11:10:12 47360 --a------ C:\Documents and Settings\Russ\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-10 11:10:12 1144 --a------ C:\Documents and Settings\Russ\Application Data\pcouffin.inf
2008-04-10 11:10:12 7887 --a------ C:\Documents and Settings\Russ\Application Data\pcouffin.cat
2008-04-08 15:29:53 0 d-------- C:\Documents and Settings\Russ\Application Data\dvdcss
2008-04-07 12:23:46 0 d-------- C:\Program Files\SpywareBlaster
2008-04-05 08:57:01 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-03 22:35:16 0 d-------- C:\Documents and Settings\Russ\Application Data\LimeWire
2008-03-21 00:04:55 0 d-------- C:\Documents and Settings\Russ\Application Data\Real
2008-03-06 19:05:38 0 d-------- C:\Documents and Settings\Russ\Application Data\Mozilla
2008-03-06 19:05:25 0 d-------- C:\Documents and Settings\Russ\Application Data\SecondLife
2008-03-05 01:03:58 0 d-------- C:\Program Files\mSoft
2008-02-19 04:24:33 0 d-------- C:\Documents and Settings\Russ\Application Data\U3
2008-02-19 01:02:51 0 d-------- C:\Documents and Settings\Russ\Application Data\Google
2008-02-19 01:02:19 0 d-------- C:\Program Files\Google
2008-02-18 17:03:33 0 d-------- C:\Program Files\Common Files\Sony Shared
2008-02-18 17:03:30 0 d-------- C:\Program Files\Sony
2008-02-18 17:03:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-18 17:03:20 0 d-------- C:\Program Files\Sony Corporation
2008-02-16 20:25:16 0 d-------- C:\Program Files\Common Files\snp2std
2008-02-16 20:25:13 0 d-------- C:\Program Files\Common Files
2008-02-03 02:45:55 2568 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [18/12/2006 14:34]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [13/07/2006 08:12]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [14/04/2008 22:38]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15/10/2004 20:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 12:35]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [11/08/2005 17:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [11/08/2005 17:30]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/01/2008 10:06]
"workflow"="D:\installs\workflow.exe" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [27/01/2003 18:16]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [28/09/2006 14:16]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [11/10/2006 13:45]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12/01/2006 17:40]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [14/11/2005 19:47]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [16/11/2005 17:14]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [05/02/2007 11:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [31/01/2008 23:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 13:10]
"ACQTMOUSE"="C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe" [27/12/2006 15:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [01/10/2007 22:45]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [17/11/2007 12:53]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/08/2004 02:06]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [10/02/2006 22:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
PalTalk.lnk - C:\Program Files\Paltalk Messenger\paltalk.exe [11/12/2007 21:34:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-04-15 00:03:19 ------------

many thanks.

BC AdBot (Login to Remove)

 


#2 borat

borat
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 15 April 2008 - 04:14 AM

Here now ive inculded the KASPERSKY log .

In Breif, here is the area that has the main problems:

C:\Documents and Settings\Russ\My Documents\Downloads\Programs\Nero-6.6.1.15c_wch.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Russ\My Documents\Downloads\Programs\Nero-6.6.1.15c_wch.exe RAR: infected - 1 skipped
C:\Documents and Settings\Russ\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Russ\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Russ\Shared\ahmed abu khater last breath.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Russ\Shared\andecy.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

and now here is the whole repeort( the rest of the files dont say they are infected, just that they are locked and have been skipped)

KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 15, 2008 10:11:03 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/04/2008
Kaspersky Anti-Virus database records: 705293
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 114863
Number of viruses found 2
Number of infected objects 4
Number of suspicious objects 0
Duration of the scan process 05:01:50

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Russ\Application Data\Mozilla\Firefox\Profiles\qe2h2q5r.default\cert8.db Object is locked skipped
C:\Documents and Settings\Russ\Application Data\Mozilla\Firefox\Profiles\qe2h2q5r.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Russ\Application Data\Mozilla\Firefox\Profiles\qe2h2q5r.default\history.dat Object is locked skipped
C:\Documents and Settings\Russ\Application Data\Mozilla\Firefox\Profiles\qe2h2q5r.default\key3.db Object is locked skipped
C:\Documents and Settings\Russ\Application Data\Mozilla\Firefox\Profiles\qe2h2q5r.default\parent.lock Object is locked skipped
C:\Documents and Settings\Russ\Application Data\Mozilla\Firefox\Profiles\qe2h2q5r.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Russ\Application Data\Mozilla\Firefox\Profiles\qe2h2q5r.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Russ\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Microsoft\Messenger\wakmybonobo@hotmail.co.uk\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Microsoft\Messenger\wakmybonobo@hotmail.co.uk\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Microsoft\Messenger\wakmybonobo@hotmail.co.uk\SharingMetadata\Working\database_38D8_138A_D813_4592\dfsr.db Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Microsoft\Messenger\wakmybonobo@hotmail.co.uk\SharingMetadata\Working\database_38D8_138A_D813_4592\fsr.log Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Microsoft\Messenger\wakmybonobo@hotmail.co.uk\SharingMetadata\Working\database_38D8_138A_D813_4592\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Microsoft\Messenger\wakmybonobo@hotmail.co.uk\SharingMetadata\Working\database_38D8_138A_D813_4592\tmp.edb Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Microsoft\Windows Live Contacts\wakmybonobo@hotmail.co.uk\real\members.stg Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Microsoft\Windows Live Contacts\wakmybonobo@hotmail.co.uk\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Mozilla\Firefox\Profiles\qe2h2q5r.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Mozilla\Firefox\Profiles\qe2h2q5r.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Mozilla\Firefox\Profiles\qe2h2q5r.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Application Data\Mozilla\Firefox\Profiles\qe2h2q5r.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\History\History.IE5\MSHist012008041520080416\index.dat Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Temp\Perflib_Perfdata_202c.dat Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Temp\Perflib_Perfdata_f78.dat Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Temp\~DFD714.tmp Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Temp\~DFD783.tmp Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Temp\~DFEE2E.tmp Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Temp\~DFEF27.tmp Object is locked skipped
C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Russ\My Documents\Downloads\Programs\Nero-6.6.1.15c_wch.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Russ\My Documents\Downloads\Programs\Nero-6.6.1.15c_wch.exe RAR: infected - 1 skipped
C:\Documents and Settings\Russ\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Russ\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Russ\Shared\ahmed abu khater last breath.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Russ\Shared\andecy.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\KEYS.DAT Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Russ.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Russ.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Russ.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B34B6958-2057-4542-B60B-BB100DE52916}\RP206\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{184B1FFE-661F-4CA1-80DC-46A1CD9AB4E2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5cc.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Thnaks again.

Edited by borat, 15 April 2008 - 04:18 AM.


#3 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 19 April 2008 - 09:42 PM

Sorry for the delay, if you still need help please do the following:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

REBOOT

Next download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
    (Vista users, please right click on OtScanIt.exe and select "Run as an Administrator")
  • Leave all the setting to the default except as noted below
  • Under Additional Scans sections, check the following
    • Reg - BotCheck
    • File - Additional Folder Scan
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Since the log is too large to post, use the ADDREPLY button, then scroll down to the attachments section and attach the notepad file here.

#4 borat

borat
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 20 April 2008 - 07:01 AM

here it is, hope its all u asked for, thanks, borat

Attached Files



#5 borat

borat
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 20 April 2008 - 07:10 AM

i forgot i had both firefox and the other browser. that log i sent was from after i cleaned firefox only. now i have cleaned both, does that mean i need to post a fresh log?

#6 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 20 April 2008 - 12:56 PM

No that scan is fine.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Start OtScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> workflow -> D:\installs\workflow.exe [D:\installs\workflow.exe]
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\system32\ntos.exe -> %SystemRoot%\system32\ntos.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 33 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 39 domain(s) and sub-domain(s) not assigned to a zone. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> 5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> SysEngine2.SYS -> %SystemRoot%\System32\SysEngine2.SYS
NY -> systeminfo3.dll -> %SystemRoot%\System32\systeminfo3.dll
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> 5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> SysEngine2.SYS -> %SystemRoot%\System32\SysEngine2.SYS
NY -> systeminfo3.dll -> %SystemRoot%\System32\systeminfo3.dll
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 7 C:\Documents and Settings\Russ\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Russ\Local Settings\Temp\*.tmp
NY -> 7 C:\Documents and Settings\Russ\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Russ\Local Settings\Temp\*.tmp
NY -> 2 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
NY -> @Alternate Data Stream - 130 bytes -> %AllUsersProfile%\Application Data\TEMP:8D49B91E
NY -> inst.exe -> %AppData%\inst.exe
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

If it reboots this may not happen. If you need to manually find the file it is at Desktop\OTScanIt\MovedFiles\04082008_163441.log or what ever yours is named(Date/Time you ran the fix)

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on the Start Scanning button at bottom of page.
  • Accept the License Agreement and the ActiveX install.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report to your Desktop for later posting.
Please post
  • OTscan it "results" log (described above)
  • F-Secure log
  • Fresh OtScanIt log made after F-secure
in your next reply here

Edited by jwbirdsong, 20 April 2008 - 12:58 PM.


#7 borat

borat
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 20 April 2008 - 09:21 PM

HI
the first log i tried to make i got an error message
,i pressed 'ok' and it carried on before i could write the error message down. So after the re-boot, i ran the programme again and this time i ddint get an error message, so am posting log from the second attempt:

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\workflow not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\ntos.exe deleted successfully.
File move failed. C:\WINDOWS\system32\ntos.exe scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
[Files/Folders - Created Within 30 days]
File C:\WINDOWS\System32\SysEngine2.SYS not found!
File C:\WINDOWS\System32\systeminfo3.dll not found!
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\SysEngine2.SYS not found!
File C:\WINDOWS\System32\systeminfo3.dll not found!
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF73C4.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF73E7.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF8538.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF854E.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF73C4.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF73E7.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF8538.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF854E.tmp scheduled to be deleted on reboot.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:8D49B91E .
File C:\Documents and Settings\Russ\Application Data\inst.exe not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF73C4.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF73E7.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF8538.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF854E.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.10.1 fix logfile created on 04212008_021646

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\ntos.exe scheduled to be moved on reboot.
File C:\Documents and Settings\Russ\Local Settings\Temp\~DF73C4.tmp not found!
File C:\Documents and Settings\Russ\Local Settings\Temp\~DF73E7.tmp not found!
File C:\Documents and Settings\Russ\Local Settings\Temp\~DF8538.tmp not found!
File C:\Documents and Settings\Russ\Local Settings\Temp\~DF854E.tmp not found!
File C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\PFF9WVKY\CAUVSXYZ.0&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_java=true not found!
File C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\PFF9WVKY\iframe[1].htm not found!
File C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\EOC8IEAM\CAVYSJJ1.0&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_java=true not found!
File C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\416RW9UV\CAZQILBF.0&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_java=true not found!
File C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\416RW9UV\topic141920[1].html not found!
C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

F-Secure results:
Scanning Report
Monday, April 21, 2008 02:23:28 - 03:06:28

Computer name: MYSTIC-7DC93150
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 5 malware found
Hupigon.gen156 (virus)

* C:\PROGRAM FILES\SUPER INTERNET TV\ONLINETV.EXE (Submitted)

Stealth_file (hidden item)

* C:\WINDOWS\SYSTEM32\NTOS.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\WSNPOEM\AUDIO.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\WSNPOEM\VIDEO.DLL (Submitted)

Trojan-Spy.Win32.Zbot (virus)

* System (Disinfected)

Statistics
Scanned:

* Files: 46516
* System: 3678
* Not scanned: 7

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 4
* Submitted: 4

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-04-21
* F-Secure AVP: 7.0.171, 2008-04-21
* F-Secure Pegasus: 1.20.0, 2008-02-28
* F-Secure Blacklight: 1.0.64

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


and the fresh OTScanit log:

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\workflow not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\ntos.exe deleted successfully.
File move failed. C:\WINDOWS\system32\ntos.exe scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
[Files/Folders - Created Within 30 days]
File C:\WINDOWS\System32\SysEngine2.SYS not found!
File C:\WINDOWS\System32\systeminfo3.dll not found!
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\SysEngine2.SYS not found!
File C:\WINDOWS\System32\systeminfo3.dll not found!
C:\Documents and Settings\Russ\Local Settings\Temp\fsaua.tmp folder deleted successfully.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF8FE9.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF931D.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DFD851.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DFD872.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF8FE9.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF931D.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DFD851.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DFD872.tmp scheduled to be deleted on reboot.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:8D49B91E .
File C:\Documents and Settings\Russ\Application Data\inst.exe not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\Perflib_Perfdata_574.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF8FE9.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DF931D.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DFD851.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temp\~DFD872.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\YZ01K3MN\ReadMessageLight[1].aspx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.10.1 fix logfile created on 04212008_031229

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\ntos.exe scheduled to be moved on reboot.
File C:\Documents and Settings\Russ\Local Settings\Temp\~DF8FE9.tmp not found!
File C:\Documents and Settings\Russ\Local Settings\Temp\~DF931D.tmp not found!
File C:\Documents and Settings\Russ\Local Settings\Temp\~DFD851.tmp not found!
File C:\Documents and Settings\Russ\Local Settings\Temp\~DFD872.tmp not found!
File C:\Documents and Settings\Russ\Local Settings\Temp\Perflib_Perfdata_574.dat not found!
C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\YZ01K3MN\ReadMessageLight[1].aspx moved successfully.
C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.


Thanks

#8 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 01 May 2008 - 04:04 PM

Not sure if I missed your reply or if I thought you were gonna to post a current OtScanIt log. Sorry for hte extended delay.

Would you download a new/updated version of OtScanit from same link as post #3 and post a fresh log.
Also a note about how everything is running.

#9 borat

borat
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 01 May 2008 - 04:21 PM

heres the new log, i assume its the updated version of otsscan... it didnt say anything , but i re-installed it from the link u gave, and i think it overwrit the old version.
As for my comps performance.. there is possibly minimal delays, but its not running bad at all. a few programmes have crashed i think lately, but still very rare.
ive noticed tho that i seem to be getting more spyware ect when doing a spyware or virus scan, before it would be rare to find any, but lately i'm finding quite a few... most are deleted without bother tho.. but sum wont delete. (the one, or ones in my first post.)

thanks again

Attached Files



#10 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 01 May 2008 - 04:54 PM

most are deleted without bother tho.. but sum wont delete. (the one, or ones in my first post.)

Can you be more specific? The files listed below are normal OS files and will not/should not be deleted.

C:\Documents and Settings\Russ\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Russ\ntuser.dat.LOG Object is locked skipped


Seem to have a few registry sticking around.. Maybe Teatime replacing them... maybe something else.

IF you get a popup about changes to the registry after running the following fix (or on reboot) make sure to ACCEPT them.

Boot to SAFEMODE

Start OtScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> ~EmptyValue -> []
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\system32\ntos.exe -> %SystemRoot%\system32\ntos.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
[Files/Folders - Modified Within 30 days]
NY -> 9 C:\Documents and Settings\Russ\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Russ\Local Settings\Temp\*.tmp
NY -> 1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

Make sure to boot to Normal mode when the computer asks to reboot,

If you need to manually find the file it is at Desktop\OTScanIt\MovedFiles\05012008_163441.log or what ever yours is named(Date/Time you ran the fix)

Please post the result of the fix above.

#11 borat

borat
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 01 May 2008 - 05:56 PM

I Certainly can be more specific ;).. the infection that spybot finds, but is unable to remove is:

Win32.Agent.pz
(SB1$3889C81D) Program directory
C:\Windows\system32\wsnpoem\

here is the log u asked for.
(i ran one fix in normal mode, then realised my error, so this is the log from the fix i ran in safe mode)


[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\~EmptyValue not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\ntos.exe deleted successfully.
File move failed. C:\WINDOWS\system32\ntos.exe scheduled to be moved on reboot.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
[Files/Folders - Modified Within 30 days]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 .
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.10.1 fix logfile created on 05012008_235142

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\ntos.exe scheduled to be moved on reboot.
C:\Documents and Settings\Russ\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.


thanks

#12 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 02 May 2008 - 02:58 PM

Please visit the webpage HERE for instructions for downloading and running ComboFix.
Post the log from ComboFix once you done that.

#13 borat

borat
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 02 May 2008 - 03:58 PM

Hi
I dont have my windows xp disc on me, so i cant install and run combifix?
A relative installed xp for me, and the disc isnt here.
does that mean we cant continue without it?
Thanks, Russ

#14 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 02 May 2008 - 06:08 PM

That part is just for Recovery Console.

Go ahead and go throught the rest and you'll be able to download and install CF just fine

#15 borat

borat
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 04 May 2008 - 03:58 AM

sory for the delay: see combofix log below.. first, just remembered, did a kaspeyspy online scan a while ago, it found:

C:\Documents and Settings\Russ\My Documents\Downloads\Programs\Nero-6.6.1.15c_wch.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Russ\My Documents\Downloads\Programs\Nero-6.6.1.15c_wch.exe RAR: infected - 1 skipped
C:\Documents and Settings\Russ\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Russ\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Russ\Shared\ahmed abu khater last breath.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Russ\Shared\andecy.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

i deleted all but the 'Ntuser' files, i don tknow what they are, and dont know how to get to them anyway.. are they ok?



ComboFix 08-05-01.3 - Russ 2008-05-04 9:44:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1442 [GMT 1:00]
Running from: C:\Documents and Settings\Russ\My Documents\Downloads\Programs\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\wsnpoem
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\NetworkService\Application Data\wsnpoem
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll.cla
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\wsnpoem\video.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-04 09:48 . 2008-05-04 09:48 <DIR> d--hs---- C:\Documents and Settings\NetworkService\Application Data\wsnpoem
2008-05-04 09:48 . 2008-05-04 09:48 <DIR> d--hs---- C:\Documents and Settings\LocalService\Application Data\wsnpoem
2008-04-26 14:29 . 2008-04-26 14:40 <DIR> d-------- C:\DEADWOOD_S3_D2
2008-04-26 14:14 . 2008-04-26 14:25 <DIR> d-------- C:\DEADWOOD_S3_D1
2008-04-21 02:21 . 2008-04-21 02:21 <DIR> d-------- C:\fsaua.data
2008-04-20 13:15 . 2008-04-20 13:28 <DIR> d-------- C:\DEADWOOD_SEASON_2.1
2008-04-18 15:51 . 2008-04-18 15:51 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-04-18 15:51 . 2008-04-18 15:51 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-04-18 15:51 . 2008-04-18 15:52 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\Teleca
2008-04-18 15:51 . 2008-04-18 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-04-18 15:51 . 2008-04-18 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-04-18 15:27 . 2008-04-18 15:49 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-18 15:27 . 2008-04-18 15:27 94,064 --a------ C:\WINDOWS\system32\drivers\k510mdm.sys
2008-04-18 15:27 . 2008-04-18 15:27 85,408 --a------ C:\WINDOWS\system32\drivers\k510mgmt.sys
2008-04-18 15:27 . 2008-04-18 15:27 83,344 --a------ C:\WINDOWS\system32\drivers\k510obex.sys
2008-04-18 15:27 . 2008-04-18 15:27 58,288 --a------ C:\WINDOWS\system32\drivers\k510bus.sys
2008-04-18 15:27 . 2008-04-18 15:27 8,336 --a------ C:\WINDOWS\system32\drivers\k510mdfl.sys
2008-04-18 15:27 . 2008-04-18 15:27 6,176 --a------ C:\WINDOWS\system32\drivers\k510cmnt.sys
2008-04-18 15:27 . 2008-04-18 15:27 6,176 --a------ C:\WINDOWS\system32\drivers\k510cm.sys
2008-04-18 15:27 . 2008-04-18 15:27 5,808 --a------ C:\WINDOWS\system32\drivers\k510whnt.sys
2008-04-18 15:27 . 2008-04-18 15:27 5,808 --a------ C:\WINDOWS\system32\drivers\k510wh.sys
2008-04-17 23:08 . 2008-04-17 23:22 <DIR> d-------- C:\DEADWOOD_SEASON_2
2008-04-15 04:52 . 2008-04-15 04:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 04:52 . 2008-04-15 04:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-15 00:02 . 2008-04-15 00:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 23:17 . 2008-04-14 23:17 <DIR> d-------- C:\Deckard
2008-04-10 11:08 . 2008-04-10 11:10 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-04-10 10:59 . 2008-04-10 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-04-10 00:31 . 2008-04-10 00:31 <DIR> d-------- C:\Program Files\CloneDVD
2008-04-10 00:31 . 2008-04-10 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVDXStudio
2008-04-10 00:15 . 2008-04-10 10:53 <DIR> d-------- C:\Program Files\DVDFab
2008-04-10 00:11 . 2008-04-10 00:11 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\SlySoft
2008-04-10 00:09 . 2008-04-10 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-04-10 00:07 . 2008-04-10 01:33 <DIR> d-------- C:\Program Files\SlySoft
2008-04-10 00:01 . 2008-04-10 00:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-04-10 00:00 . 2008-04-10 00:09 125 ---hs---- C:\Documents and Settings\All Users\Application Data\.zreglib
2008-04-09 23:57 . 2008-04-10 00:04 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-04-07 11:54 . 2008-04-07 11:53 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-07 11:54 . 2008-04-07 11:54 2,549 --a------ C:\WINDOWS\unins000.dat
2008-04-06 12:00 . 1996-01-09 02:38 283,648 --a------ C:\WINDOWS\uninst.exe
2008-04-05 17:55 . 2008-04-05 18:00 <DIR> d-------- C:\Program Files\War Chess
2008-04-05 17:55 . 2008-04-05 17:55 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-04-04 23:31 . 2008-04-04 23:31 <DIR> d-------- C:\Program Files\Multi-Direction Opitcal Mouse

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 08:48 --------- d-----w C:\Documents and Settings\Russ\Application Data\DMCache
2008-05-04 06:31 --------- d-----w C:\Documents and Settings\Russ\Application Data\Vso
2008-05-04 06:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-01 11:58 --------- d-----w C:\Documents and Settings\Russ\Application Data\AdobeUM
2008-05-01 11:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-15 16:57 --------- d-----w C:\Documents and Settings\Russ\Application Data\LimeWire
2008-04-10 10:10 47,360 ----a-w C:\Documents and Settings\Russ\Application Data\pcouffin.sys
2008-04-08 14:29 --------- d-----w C:\Documents and Settings\Russ\Application Data\dvdcss
2008-04-07 11:23 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-07 10:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-07 10:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-05 07:57 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-04-02 22:19 --------- d-----w C:\Program Files\Safari
2008-04-02 22:15 --------- d-----w C:\Program Files\iTunes
2008-04-02 22:15 --------- d-----w C:\Program Files\iPod
2008-04-02 22:14 --------- d-----w C:\Program Files\QuickTime
2008-03-24 21:45 --------- d-----w C:\Program Files\Paltalk Messenger Interop
2008-03-23 21:41 --------- d-----w C:\Documents and Settings\Russ\Application Data\Paltalk
2008-03-23 21:40 --------- d-----w C:\Program Files\Paltalk Messenger
2008-03-06 18:05 --------- d-----w C:\Documents and Settings\Russ\Application Data\SecondLife
2008-03-05 00:03 --------- d-----w C:\Program Files\mSoft
2008-01-04 09:40 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-03 01:45 2,568 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-10-01 22:45 840704]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 12:53 171464]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 22:40 2048000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 14:34 868352]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 08:12 729088]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-14 22:38 262401]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 20:40 2577632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-04 10:06 185896]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 18:16 376912]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 14:16 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 13:45 75304]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 17:40 155648]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2005-11-14 19:47 110592]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2005-11-16 17:14 344064]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2007-02-05 11:11 476728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"ACQTMOUSE"="C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe" [2006-12-27 15:39 489984]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
PalTalk.lnk - C:\Program Files\Paltalk Messenger\paltalk.exe [2007-12-11 21:34:40 10252288]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Super Internet TV\\OnlineTV.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 acedrv10;acedrv10;C:\WINDOWS\system32\drivers\acedrv10.sys [2007-07-24 08:45]
R2 acehlp10;acehlp10;C:\WINDOWS\system32\drivers\acehlp10.sys [2007-07-11 09:20]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2006-03-01 09:40]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2006-03-01 09:40]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2008-04-18 15:27]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2008-04-18 15:27]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2008-04-18 15:27]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2008-04-18 15:27]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2008-04-18 15:27]
S3 SaiNtHid;SaiNtHid;C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys [2003-04-10 12:42]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2005-11-18 19:29]
S3 UDTTLOAD;UDTTLOAD;C:\WINDOWS\system32\DRIVERS\UDTTload.sys [2003-04-27 10:22]
S3 UDTTUSB;USBDTT - USB DVB-T adapter Driver;C:\WINDOWS\system32\Drivers\UDTTcap.sys [2003-04-27 10:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 22:02:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 09:48:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\ntos.exe 531968 bytes executable
C:\WINDOWS\system32\wsnpoem

scan completed successfully
hidden files: 284

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2008-05-04 9:52:21 - machine was rebooted [Russ]
ComboFix-quarantined-files.txt 2008-05-04 08:52:17

Pre-Run: 77,115,162,624 bytes free
Post-Run: 77,107,015,680 bytes free

197 --- E O F --- 2008-05-02 04:22:13


Thanks

Edited by borat, 04 May 2008 - 04:09 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users