Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 Trojan Attackin My System ... Urgent


  • Please log in to reply
29 replies to this topic

#1 Norns

Norns

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 30 April 2008 - 12:59 PM

Hi guys ....

This is the first time im getting virus and weird symtom on my pc. From the beginning, im always be very sure and careful on what I click on screen.
I got anti spyware, anti virus and also firewall ...

Things happend when i leave my computer overnight, then morning i got this weird thing :thumbsup:

When i try to shut down my pc, the pc hang and keep coming out IE browser with weird language website...

When i on my pc, it also keep running my IE background and try to connect to somewhere ...

I scan with kaspersky, it manage to detect some virus but i feel like its fail to disinfect all or delete the files ....


]Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:15 AM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
C:\Program Files\Remote Tools OTP\msraLinkMonitor.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {398C9B84-4EF7-47B5-9862-DE29543B3C42} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E} - (no file)
O2 - BHO: (no name) - {C5E87A05-F463-4841-B19E-DD3EC3862368} - (no file)
O2 - BHO: (no name) - {EE12D60D-AD9A-4095-B839-3BE6862679FD} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7625F746-FCB2-48E8-BAF5-2B862F89296C}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O20 - AppInit_DLLs: wbsys.dll,c:\progra~1\kasper~1\kasper~2.0\adialhk.dll,msosmhfp00.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Ltd. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSRA Link Monitor (msraLinkMonitor) - Unknown owner - C:\Program Files\Remote Tools OTP\msraLinkMonitor.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 11059 bytes

Edited by Norns, 30 April 2008 - 01:01 PM.


BC AdBot (Login to Remove)

 


#2 Norns

Norns
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 30 April 2008 - 09:46 PM

Anyone care to assist me urgently ?

TQ a lots

#3 Norns

Norns
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 04 May 2008 - 07:42 AM

Any help from proz ~~

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:58 AM

Posted 22 May 2008 - 11:32 AM

Hello Norns and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.

When posting your log, please make sure you post the HijackThis log as a reply and not as an attachment. If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 Norns

Norns
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 06 June 2008 - 06:37 AM

Hi Johannes,

Sorry for the late reply.
Initially I had clean my ystem temporaly, but for no reason today the heur trojan attach my pc again.

Here's the latest hijackthis post ...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:28 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
C:\Program Files\Remote Tools OTP\msraLinkMonitor.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Garmin\MapSource.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7625F746-FCB2-48E8-BAF5-2B862F89296C}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Ltd. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSRA Link Monitor (msraLinkMonitor) - Unknown owner - C:\Program Files\Remote Tools OTP\msraLinkMonitor.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 11343 bytes

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:58 AM

Posted 07 June 2008 - 01:13 PM

Hi Norns,

looks like you did not read my post, or check the link supplied. I would like you to revisit that link and post the logs asked for there. It will help me help you better and faster.

Please do the above as Step #1.

Step #2

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Step #3

Please post back with the logs from step 1. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 Norns

Norns
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 07 June 2008 - 02:47 PM

Hi Johannes,

Thanks again for your reply ! I have posted the dss log and kaspersky online scanner below. Please have a look :D

I think initially i got this heur trojan by accidently click on msn link .... and got my system infected. At first i clean it by delete the virus in safe mode, however after sometime the trojan attack back.
I wish to totally clean it hoping not to reformat my pc...

Hope you can assist me asap as i need my pc badly for work ..

Really appreciate your help :thumbsup:


DSS log:
Deckard's System Scanner v20071014.68
Run by NHS87 on 2008-06-08 03:37:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
89: 2008-06-07 19:34:17 UTC - RP185 - Deckard's System Scanner Restore Point
88: 2008-06-06 18:59:46 UTC - RP184 - System Checkpoint
87: 2008-06-05 18:16:51 UTC - RP183 - System Checkpoint
86: 2008-06-04 18:12:04 UTC - RP182 - System Checkpoint
85: 2008-06-03 17:46:28 UTC - RP181 - System Checkpoint


-- First Restore Point --
1: 2008-03-12 03:34:07 UTC - RP97 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as NHS87.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:17 AM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
C:\Program Files\Remote Tools OTP\msraLinkMonitor.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
D:\Installer\PC Security\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NHS87.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Ltd. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSRA Link Monitor (msraLinkMonitor) - Unknown owner - C:\Program Files\Remote Tools OTP\msraLinkMonitor.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 11273 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080504-203842-171 O2 - BHO: (no name) - {398C9B84-4EF7-47B5-9862-DE29543B3C42} - (no file)
backup-20080504-203842-399 O2 - BHO: (no name) - {A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E} - (no file)
backup-20080504-203842-431 O20 - AppInit_DLLs: wbsys.dll,msosmhfp00.dll,C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
backup-20080504-203842-609 O2 - BHO: (no name) - {EE12D60D-AD9A-4095-B839-3BE6862679FD} - (no file)
backup-20080504-203842-619 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080504-203842-794 O2 - BHO: (no name) - {C5E87A05-F463-4841-B19E-DD3EC3862368} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 HDDlife HDD Access service - "c:\program files\binarysense\hddlife 3\hldasvc.exe" <Not Verified; BinarySense, Ltd.; HDDlife>
R2 msraLinkMonitor (MSRA Link Monitor) - "c:\program files\remote tools otp\msralinkmonitor.exe" <Not Verified; ; Quaranti Application>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia N73
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia N73
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-06-06 17:15:00 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-05-06 07:37:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-08 and 2008-06-08 -----------------------------

2008-06-08 03:34:05 0 d-------- C:\Documents and Settings\NHS87\.SunDownloadManager
2008-06-06 14:57:44 164352 --a------ C:\WINDOWS\system32\unrar.dll
2008-06-06 14:57:42 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-06-06 14:57:41 159839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-06 14:57:41 755027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-06 14:57:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-06 14:57:41 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-06 14:57:41 682496 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-06 14:57:40 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-06-06 14:57:38 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-06-06 11:37:58 0 d-------- C:\Documents and Settings\NHS87\Application Data\Free Download Manager
2008-06-06 11:37:54 0 d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-06-06 11:37:53 0 d-------- C:\Program Files\Free Download Manager
2008-06-06 11:26:34 0 d-------- C:\Documents and Settings\NHS87\Application Data\Pandion
2008-06-06 11:26:27 0 d-------- C:\Program Files\Pandion
2008-06-01 23:47:31 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-01 23:47:31 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-01 23:46:59 52512 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-01 23:46:59 8379424 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-01 23:46:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 23:43:19 0 d-------- C:\Program Files\DivX
2008-06-01 23:42:38 0 d-------- C:\kav
2008-06-01 09:52:03 0 dr-h----- C:\Documents and Settings\NHS87\Recent
2008-06-01 09:44:27 0 d-------- C:\Documents and Settings\NHS87\Application Data\Nokia Multimedia Player
2008-06-01 09:39:30 2275840 --a------ C:\WINDOWS\system32\TUKernel.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-06-08 03:30:07 0 d-------- C:\Documents and Settings\NHS87\Application Data\MegauploadToolbar
2008-06-06 17:51:31 0 d-------- C:\Program Files\FlashGet
2008-06-06 14:18:14 0 d-------- C:\Documents and Settings\NHS87\Application Data\U3
2008-06-01 23:46:59 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-01 23:43:24 1413 --a------ C:\WINDOWS\mozver.dat
2008-05-21 03:01:12 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-05 22:19:55 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-05 18:06:43 0 d-------- C:\Documents and Settings\NHS87\Application Data\Uniblue
2008-05-04 20:50:03 0 d-------- C:\Documents and Settings\NHS87\Application Data\Systweak
2008-05-01 01:25:06 0 d-------- C:\Program Files\Trend Micro
2008-04-27 20:42:26 256 --a------ C:\WINDOWS\system32\msosmhfp.dat
2008-04-27 20:42:07 233472 --a------ C:\WINDOWS\system32\wpcap.dll <Not Verified; CACE Technologies; WinPcap high level library>
2008-04-27 20:42:07 61440 --a------ C:\WINDOWS\system32\WanPacket.dll <Not Verified; CACE Technologies; WinPcap low level NetMon wrapper library>
2008-04-27 20:42:07 81920 --a------ C:\WINDOWS\system32\Packet.dll <Not Verified; CACE Technologies; WinPcap low level packet library>
2008-04-27 20:39:27 0 d-------- C:\Program Files\Common Files
2008-04-27 13:49:28 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-04-27 13:49:01 423424 --a------ C:\WINDOWS\system32\andt.sys
2008-04-27 10:19:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-27 10:17:36 0 d-------- C:\Program Files\Boson Software
2008-04-27 10:17:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-26 19:33:55 0 d-------- C:\Program Files\WinAVIVideoConverter
2008-04-26 19:33:47 3082 --a------ C:\WINDOWS\system32\affv208325p1now.sys
2008-04-20 00:41:44 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-19 13:16:14 0 d-------- C:\Documents and Settings\NHS87\Application Data\Apple Computer
2008-04-18 23:30:18 0 d-------- C:\Program Files\SemSim 640-801 CCNA Exams
2008-04-18 23:26:55 831488 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Atrixware, LLC.; Setup>
2008-04-18 23:26:54 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-18 22:29:58 0 d-------- C:\Documents and Settings\NHS87\Application Data\Citrix
2008-04-18 19:27:15 0 d-------- C:\Documents and Settings\NHS87\Application Data\ICAClient
2008-04-18 19:23:51 0 d-------- C:\Program Files\Citrix
2008-04-18 19:15:50 0 d-------- C:\Program Files\Remote Tools OTP
2008-04-15 20:10:28 0 d-------- C:\Program Files\QuickTime
2008-04-15 20:09:55 0 d-------- C:\Program Files\Apple Software Update
2008-04-14 20:10:11 0 d-------- C:\Program Files\Java
2008-04-14 20:09:38 0 d-------- C:\Program Files\Pass4sure


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [07/13/2006 07:12 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/18/2006 09:34 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 02:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [12/03/2007 02:21 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/05/2008 08:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [02/08/2008 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/07/2004 04:00 AM]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [12/13/2007 07:10 PM]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [12/10/2007 10:12 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\Documents and Settings\NHS87\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 8:24:54 PM]
Thoosje Vista Sidebar.lnk - C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe [10/22/2007 8:28:57 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoTrayContextMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 02/03/2008 02:03 AM 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Program Neighborhood Agent.lnk
backup=C:\WINDOWS\pss\Program Neighborhood Agent.lnkCommon Startup

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.test.com
127.0.0.1 www.ads.x10.com
127.0.0.1 www.600pics.com
127.0.0.1 www.doberman.befree.com
127.0.0.1 www.enews.bfast.com
127.0.0.1 www.etoys.bfast.com
127.0.0.1 www.falcon.bfast.com
127.0.0.1 www.ftp.befree.com
127.0.0.1 www.ftp.bfast.com
127.0.0.1 www.geocities.bfast.com


-- End of Deckard's System Scanner: finished at 2008-06-08 03:43:30 ------------


----------

Kaspersky log:

**will update later on due to kaspersky online is updating database**

#8 Norns

Norns
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 08 June 2008 - 08:26 AM

My kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 08, 2008 9:24:46 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/06/2008
Kaspersky Anti-Virus database records: 837687
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 120637
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 02:21:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0162_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0164_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0165_AdBlocker_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0165_AdBlocker_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NHS87\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\cert8.db Object is locked skipped
C:\Documents and Settings\NHS87\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\flashgot.log Object is locked skipped
C:\Documents and Settings\NHS87\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\NHS87\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\history.dat Object is locked skipped
C:\Documents and Settings\NHS87\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\key3.db Object is locked skipped
C:\Documents and Settings\NHS87\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\parent.lock Object is locked skipped
C:\Documents and Settings\NHS87\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\search.sqlite Object is locked skipped
C:\Documents and Settings\NHS87\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\NHS87\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Microsoft\Windows Live Contacts\honsheong_87@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Microsoft\Windows Live Contacts\honsheong_87@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Application Data\Mozilla\Firefox\Profiles\cnm1y21b.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Temp\Free Download Manager\tic27.tmp Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Temp\Free Download Manager\tic32.tmp Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Temp\Perflib_Perfdata_bc.dat Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Temp\~DF944E.tmp Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Temp\~DF9BAC.tmp Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Temp\~DFB4D.tmp Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Temp\~DFE67.tmp Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\NHS87\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NHS87\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NHS87\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU2.txt Object is locked skipped
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D2209CFB-F293-4145-BD38-30BA9F19FCAA}\RP185\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\cch~3ad69e06e868.htp Object is locked skipped
C:\WINDOWS\Temp\cch~3ad69e170848.htp Object is locked skipped
C:\WINDOWS\Temp\cch~3af6c8169805.htp Object is locked skipped
C:\WINDOWS\Temp\cch~3af6cac8c7a5.htp Object is locked skipped
C:\WINDOWS\Temp\cch~3b10265526ab.htp Object is locked skipped
C:\WINDOWS\Temp\cch~3b102661abe0.htp Object is locked skipped
C:\WINDOWS\Temp\cch~3b11e49442a9.htp Object is locked skipped
C:\WINDOWS\Temp\cch~3b11e4a088e8.htp Object is locked skipped
C:\WINDOWS\Temp\~DF94FE.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
D:\Installer\Utilities\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
D:\Installer\Utilities\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe 7-Zip: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{D2209CFB-F293-4145-BD38-30BA9F19FCAA}\RP185\change.log Object is locked skipped
E:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{D2209CFB-F293-4145-BD38-30BA9F19FCAA}\RP185\change.log Object is locked skipped
F:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{D2209CFB-F293-4145-BD38-30BA9F19FCAA}\RP185\change.log Object is locked skipped
H:\Installer\Utilities\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
H:\Installer\Utilities\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe 7-Zip: infected - 1 skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{D2209CFB-F293-4145-BD38-30BA9F19FCAA}\RP185\change.log Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\_restore{D2209CFB-F293-4145-BD38-30BA9F19FCAA}\RP185\change.log Object is locked skipped

Scan process completed.

#9 Norns

Norns
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 08 June 2008 - 08:50 AM

Oh yea, forgot to mentioned

I have also just updated my JRE to latest version

Thanks :D

#10 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:58 AM

Posted 08 June 2008 - 01:07 PM

Step #1

Can you please have a look if the extra.txt file created by DSS is present in the C:\Deckard\System Scanner folder? I really want that log.
If you cannot find the log, then please do the following:
  • Close all programs and/or windows so that you have nothing open and are at your Desktop.
  • Click on Start, then click on Run.
  • In the Open: field copy and paste the entire contents inside the CODE box below and press the OK button.

    "%userprofile%\Desktop\dss.exe" /config

    This will open up DSS configuration.
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • When finished, please post back both logs that open in Notepad: main.txt and extra.txt.
Step #2

Please download Malwarebytes' Anti-Malware from Here
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step #3

Please post back with the following:
  • extra.txt
  • Malwarebytes Antimalware log
Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#11 Norns

Norns
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 09 June 2008 - 06:03 AM

Hi Johannes,

Here's all the log that you need :D

Step 1:

Extra.txt log
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 4000+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 4000+
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 2046.42 MiB / 1314.65 MiB
Pagefile Memory (total/avail): 3941.93 MiB / 3314.27 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1919.75 MiB

C: is Fixed (NTFS) - 68.36 GiB total, 44.51 GiB free.
D: is Fixed (NTFS) - 58.59 GiB total, 44.35 GiB free.
E: is Fixed (NTFS) - 87.89 GiB total, 38.15 GiB free.
F: is Fixed (NTFS) - 82.68 GiB total, 55.04 GiB free.
G: is CDROM (No Media)
H: is Fixed (NTFS) - 32.69 GiB total, 16.18 GiB free.
I: is Fixed (NTFS) - 79.1 GiB total, 26.88 GiB free.

\\.\PHYSICALDRIVE1 - SAMSUNG HM120JI - 111.79 GiB - 2 partitions
\PARTITION0 - Installable File System - 32.69 GiB - H:
\PARTITION1 - Extended w/Extended Int 13 - 79.1 GiB - I:

\\.\PHYSICALDRIVE0 - ST3320620AS - 298.09 GiB - 4 partitions
\PARTITION0 - Extended w/Extended Int 13 - 229.16 GiB - D: - E: - F:
\PARTITION1 (bootable) - Installable File System - 68.36 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab)
AV: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\FlashGet\\FlashGet.exe"="C:\\Program Files\\FlashGet\\FlashGet.exe:*:Enabled:Flashget"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"F:\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"="F:\\THQ\\Titan Quest Immortal Throne\\Tqit.exe:*:Enabled:Tqit"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"
"C:\\kav\\kis7.0\\english\\setup.exe"="C:\\kav\\kis7.0\\english\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\NHS87\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NORNS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\NHS87
LOGONSERVER=\\NORNS
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 107 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\NHS87\LOCALS~1\Temp
TMP=C:\DOCUME~1\NHS87\LOCALS~1\Temp
USERDOMAIN=NORNS
USERNAME=NHS87
USERPROFILE=C:\Documents and Settings\NHS87
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

NHS87 (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Boson NetSim for CCNA --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{43C55842-E2A8-4281-8C5B-7E7016D9E349}
Citrix Presentation Server Client --> MsiExec.exe /I{2624B680-02BC-4CBC-839C-DA20DF6EF6EC}
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Free Download Manager 2.5 --> "C:\Program Files\Free Download Manager\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
K-Lite Codec Pack 3.9.5 (Full) --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Pandion --> "C:\Program Files\Pandion\Uninstall.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Remote Access to HP Network (MSRA 4.1 One Time Passcode Client) --> MsiExec.exe /X{035584ED-5FE4-4CCD-AF8D-72F471261AF6}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SemSim 640-801 CCNA Exams --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\SemSim 640-801 CCNA Exams\ST6UNST.LOG"
Titan Quest --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}\setup.exe" -l0x9 -removeonly
Titan Quest Immortal Throne --> MsiExec.exe /I{CC169F76-F65F-4A19-A1FE-EC0D099B9452}
TQVault --> MsiExec.exe /I{51592501-CFCE-4570-A0B8-8B14E40BF23A}
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
WinAVIVideoConverter --> "C:\Program Files\WinAVIVideoConverter\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type106 / Error
Event Submitted/Written: 06/03/2008 06:51:05 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type62 / Error
Event Submitted/Written: 06/01/2008 11:43:06 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: Kaspersky Internet Security 7.0 -- You must restart your computer before proceeding with the installation.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1342 / Error
Event Submitted/Written: 06/08/2008 03:40:35 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {222F1C6D-F430-4B76-B3F1-1FE92E214AD3} did not register with DCOM within the required timeout.

Event Record #/Type1341 / Warning
Event Submitted/Written: 06/08/2008 03:39:54 AM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Event Record #/Type1340 / Warning
Event Submitted/Written: 06/08/2008 03:39:52 AM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Event Record #/Type1339 / Warning
Event Submitted/Written: 06/08/2008 03:38:48 AM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Event Record #/Type1338 / Warning
Event Submitted/Written: 06/08/2008 03:38:48 AM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"



-- End of Deckard's System Scanner: finished at 2008-06-08 03:43:30 ------------


======================================================

Main.txt log


Deckard's System Scanner v20071014.68
Run by NHS87 on 2008-06-08 03:37:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
89: 2008-06-07 19:34:17 UTC - RP185 - Deckard's System Scanner Restore Point
88: 2008-06-06 18:59:46 UTC - RP184 - System Checkpoint
87: 2008-06-05 18:16:51 UTC - RP183 - System Checkpoint
86: 2008-06-04 18:12:04 UTC - RP182 - System Checkpoint
85: 2008-06-03 17:46:28 UTC - RP181 - System Checkpoint


-- First Restore Point --
1: 2008-03-12 03:34:07 UTC - RP97 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as NHS87.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:17 AM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
C:\Program Files\Remote Tools OTP\msraLinkMonitor.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
D:\Installer\PC Security\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NHS87.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Ltd. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSRA Link Monitor (msraLinkMonitor) - Unknown owner - C:\Program Files\Remote Tools OTP\msraLinkMonitor.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 11273 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080504-203842-171 O2 - BHO: (no name) - {398C9B84-4EF7-47B5-9862-DE29543B3C42} - (no file)
backup-20080504-203842-399 O2 - BHO: (no name) - {A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E} - (no file)
backup-20080504-203842-431 O20 - AppInit_DLLs: wbsys.dll,msosmhfp00.dll,C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
backup-20080504-203842-609 O2 - BHO: (no name) - {EE12D60D-AD9A-4095-B839-3BE6862679FD} - (no file)
backup-20080504-203842-619 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080504-203842-794 O2 - BHO: (no name) - {C5E87A05-F463-4841-B19E-DD3EC3862368} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 HDDlife HDD Access service - "c:\program files\binarysense\hddlife 3\hldasvc.exe" <Not Verified; BinarySense, Ltd.; HDDlife>
R2 msraLinkMonitor (MSRA Link Monitor) - "c:\program files\remote tools otp\msralinkmonitor.exe" <Not Verified; ; Quaranti Application>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia N73
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia N73
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-06-06 17:15:00 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-05-06 07:37:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-08 and 2008-06-08 -----------------------------

2008-06-08 03:34:05 0 d-------- C:\Documents and Settings\NHS87\.SunDownloadManager
2008-06-06 14:57:44 164352 --a------ C:\WINDOWS\system32\unrar.dll
2008-06-06 14:57:42 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-06-06 14:57:41 159839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-06 14:57:41 755027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-06 14:57:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-06 14:57:41 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-06 14:57:41 682496 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-06 14:57:40 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-06-06 14:57:38 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-06-06 11:37:58 0 d-------- C:\Documents and Settings\NHS87\Application Data\Free Download Manager
2008-06-06 11:37:54 0 d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-06-06 11:37:53 0 d-------- C:\Program Files\Free Download Manager
2008-06-06 11:26:34 0 d-------- C:\Documents and Settings\NHS87\Application Data\Pandion
2008-06-06 11:26:27 0 d-------- C:\Program Files\Pandion
2008-06-01 23:47:31 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-01 23:47:31 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-01 23:46:59 52512 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-01 23:46:59 8379424 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-01 23:46:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 23:43:19 0 d-------- C:\Program Files\DivX
2008-06-01 23:42:38 0 d-------- C:\kav
2008-06-01 09:52:03 0 dr-h----- C:\Documents and Settings\NHS87\Recent
2008-06-01 09:44:27 0 d-------- C:\Documents and Settings\NHS87\Application Data\Nokia Multimedia Player
2008-06-01 09:39:30 2275840 --a------ C:\WINDOWS\system32\TUKernel.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-06-08 03:30:07 0 d-------- C:\Documents and Settings\NHS87\Application Data\MegauploadToolbar
2008-06-06 17:51:31 0 d-------- C:\Program Files\FlashGet
2008-06-06 14:18:14 0 d-------- C:\Documents and Settings\NHS87\Application Data\U3
2008-06-01 23:46:59 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-01 23:43:24 1413 --a------ C:\WINDOWS\mozver.dat
2008-05-21 03:01:12 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-05 22:19:55 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-05 18:06:43 0 d-------- C:\Documents and Settings\NHS87\Application Data\Uniblue
2008-05-04 20:50:03 0 d-------- C:\Documents and Settings\NHS87\Application Data\Systweak
2008-05-01 01:25:06 0 d-------- C:\Program Files\Trend Micro
2008-04-27 20:42:26 256 --a------ C:\WINDOWS\system32\msosmhfp.dat
2008-04-27 20:42:07 233472 --a------ C:\WINDOWS\system32\wpcap.dll <Not Verified; CACE Technologies; WinPcap high level library>
2008-04-27 20:42:07 61440 --a------ C:\WINDOWS\system32\WanPacket.dll <Not Verified; CACE Technologies; WinPcap low level NetMon wrapper library>
2008-04-27 20:42:07 81920 --a------ C:\WINDOWS\system32\Packet.dll <Not Verified; CACE Technologies; WinPcap low level packet library>
2008-04-27 20:39:27 0 d-------- C:\Program Files\Common Files
2008-04-27 13:49:28 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-04-27 13:49:01 423424 --a------ C:\WINDOWS\system32\andt.sys
2008-04-27 10:19:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-27 10:17:36 0 d-------- C:\Program Files\Boson Software
2008-04-27 10:17:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-26 19:33:55 0 d-------- C:\Program Files\WinAVIVideoConverter
2008-04-26 19:33:47 3082 --a------ C:\WINDOWS\system32\affv208325p1now.sys
2008-04-20 00:41:44 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-19 13:16:14 0 d-------- C:\Documents and Settings\NHS87\Application Data\Apple Computer
2008-04-18 23:30:18 0 d-------- C:\Program Files\SemSim 640-801 CCNA Exams
2008-04-18 23:26:55 831488 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Atrixware, LLC.; Setup>
2008-04-18 23:26:54 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-18 22:29:58 0 d-------- C:\Documents and Settings\NHS87\Application Data\Citrix
2008-04-18 19:27:15 0 d-------- C:\Documents and Settings\NHS87\Application Data\ICAClient
2008-04-18 19:23:51 0 d-------- C:\Program Files\Citrix
2008-04-18 19:15:50 0 d-------- C:\Program Files\Remote Tools OTP
2008-04-15 20:10:28 0 d-------- C:\Program Files\QuickTime
2008-04-15 20:09:55 0 d-------- C:\Program Files\Apple Software Update
2008-04-14 20:10:11 0 d-------- C:\Program Files\Java
2008-04-14 20:09:38 0 d-------- C:\Program Files\Pass4sure


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [07/13/2006 07:12 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/18/2006 09:34 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 02:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [12/03/2007 02:21 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/05/2008 08:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [02/08/2008 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/07/2004 04:00 AM]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [12/13/2007 07:10 PM]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [12/10/2007 10:12 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\Documents and Settings\NHS87\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 8:24:54 PM]
Thoosje Vista Sidebar.lnk - C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe [10/22/2007 8:28:57 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoTrayContextMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 02/03/2008 02:03 AM 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Program Neighborhood Agent.lnk
backup=C:\WINDOWS\pss\Program Neighborhood Agent.lnkCommon Startup

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.test.com
127.0.0.1 www.ads.x10.com
127.0.0.1 www.600pics.com
127.0.0.1 www.doberman.befree.com
127.0.0.1 www.enews.bfast.com
127.0.0.1 www.etoys.bfast.com
127.0.0.1 www.falcon.bfast.com
127.0.0.1 www.ftp.befree.com
127.0.0.1 www.ftp.bfast.com
127.0.0.1 www.geocities.bfast.com


-- End of Deckard's System Scanner: finished at 2008-06-08 03:43:30 ------------

#12 Norns

Norns
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 09 June 2008 - 06:14 AM

2nd Step :

Mbam Log :

Malwarebytes' Anti-Malware 1.15
Database version: 841

7:11:26 PM 6/9/2008
mbam-log-6-9-2008 (19-11-26).txt

Scan type: Quick Scan
Objects scanned: 41051
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\andt.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drmgs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

========================================================================================


New Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:42 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
C:\Program Files\Remote Tools OTP\msraLinkMonitor.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Ltd. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSRA Link Monitor (msraLinkMonitor) - Unknown owner - C:\Program Files\Remote Tools OTP\msraLinkMonitor.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 11365 bytes

#13 Norns

Norns
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 09 June 2008 - 06:40 AM

And finally my Extra.txt :

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 4000+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 4000+
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 2046.42 MiB / 1244.66 MiB
Pagefile Memory (total/avail): 3941.93 MiB / 3284.22 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907.8 MiB

C: is Fixed (NTFS) - 68.36 GiB total, 44.35 GiB free.
D: is Fixed (NTFS) - 58.59 GiB total, 44.33 GiB free.
E: is Fixed (NTFS) - 87.89 GiB total, 38.15 GiB free.
F: is Fixed (NTFS) - 82.68 GiB total, 55.04 GiB free.
G: is CDROM (No Media)
H: is Fixed (NTFS) - 32.69 GiB total, 16.18 GiB free.
I: is Fixed (NTFS) - 79.1 GiB total, 26.88 GiB free.
J: is CDROM (CDFS)
K: is Removable (FAT32)

\\.\PHYSICALDRIVE1 - SAMSUNG HM120JI - 111.79 GiB - 2 partitions
\PARTITION0 - Installable File System - 32.69 GiB - H:
\PARTITION1 - Extended w/Extended Int 13 - 79.1 GiB - I:

\\.\PHYSICALDRIVE0 - ST3320620AS - 298.09 GiB - 4 partitions
\PARTITION0 - Extended w/Extended Int 13 - 229.16 GiB - D: - E: - F:
\PARTITION1 (bootable) - Installable File System - 68.36 GiB - C:

\\.\PHYSICALDRIVE2 - SanDisk U3 Cruzer Micro USB Device - 1953.22 MiB - 1 partition
\PARTITION0 - Unknown - 1952.88 MiB - K:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab)
AV: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\FlashGet\\FlashGet.exe"="C:\\Program Files\\FlashGet\\FlashGet.exe:*:Enabled:Flashget"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"F:\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"="F:\\THQ\\Titan Quest Immortal Throne\\Tqit.exe:*:Enabled:Tqit"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"
"C:\\kav\\kis7.0\\english\\setup.exe"="C:\\kav\\kis7.0\\english\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\NHS87\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NORNS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\NHS87
LOGONSERVER=\\NORNS
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Nero\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 107 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\NHS87\LOCALS~1\Temp
TMP=C:\DOCUME~1\NHS87\LOCALS~1\Temp
USERDOMAIN=NORNS
USERNAME=NHS87
USERPROFILE=C:\Documents and Settings\NHS87
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

NHS87 (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Boson NetSim for CCNA --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{43C55842-E2A8-4281-8C5B-7E7016D9E349}
Citrix Presentation Server Client --> MsiExec.exe /I{2624B680-02BC-4CBC-839C-DA20DF6EF6EC}
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Free Download Manager 2.5 --> "C:\Program Files\Free Download Manager\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
K-Lite Codec Pack 3.9.5 (Full) --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Pandion --> "C:\Program Files\Pandion\Uninstall.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Remote Access to HP Network (MSRA 4.1 One Time Passcode Client) --> MsiExec.exe /X{035584ED-5FE4-4CCD-AF8D-72F471261AF6}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SemSim 640-801 CCNA Exams --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\SemSim 640-801 CCNA Exams\ST6UNST.LOG"
Titan Quest --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}\setup.exe" -l0x9 -removeonly
Titan Quest Immortal Throne --> MsiExec.exe /I{CC169F76-F65F-4A19-A1FE-EC0D099B9452}
TQVault --> MsiExec.exe /I{51592501-CFCE-4570-A0B8-8B14E40BF23A}
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
WinAVIVideoConverter --> "C:\Program Files\WinAVIVideoConverter\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type106 / Error
Event Submitted/Written: 06/03/2008 06:51:05 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type62 / Error
Event Submitted/Written: 06/01/2008 11:43:06 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: Kaspersky Internet Security 7.0 -- You must restart your computer before proceeding with the installation.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1387 / Warning
Event Submitted/Written: 06/09/2008 07:16:23 PM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Event Record #/Type1384 / Warning
Event Submitted/Written: 06/09/2008 06:53:41 PM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Event Record #/Type1383 / Warning
Event Submitted/Written: 06/09/2008 06:53:41 PM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Event Record #/Type1382 / Warning
Event Submitted/Written: 06/09/2008 06:52:59 PM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Event Record #/Type1381 / Warning
Event Submitted/Written: 06/09/2008 06:52:59 PM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"



-- End of Deckard's System Scanner: finished at 2008-06-09 19:40:16 ------------



Really appreciated your help ...

Thanks a lot !!

Hope to see your reply the soonest :D

#14 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:58 AM

Posted 09 June 2008 - 01:33 PM

Hey Norns,

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitComet). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Step #1

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Java™ 6 Update 3, Java™ 6 Update 5

Step #2

Please go to Eset Onlinescan (NOD32)
(You need to use InternetExplorer or enable IEView in Firefox)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
    • Click into the text area, right-click and chose "select all" (or use ctrl+a)
    • Right-click again and chose "copy" (or ctrl+c)
    • Close Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Step #3

Please post back with the following:
  • A fresh HijackThis log
  • The Nod32 log
  • Let me know how your pc is doing
Thanks :thumbsup:

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#15 Norns

Norns
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 09 June 2008 - 08:21 PM

Hi Johannes,

Thanks a lot for your great assistance :thumbsup:

This would be the first time my machine infected seriously after almost 3 years. Well, Im very becareful my download items and website which I browse.
Normally i pay a lot attention on what I clicked. For bitcomet, i'd be using it to download movie file only.
If i recall correctly, I did once accidently click on random MSN link ... and that is what caused my machine infected.
At first I have succesfully clean the Heur trojan in safe mood, but out of no where the trojan attack again few days back. I believe I did not clean it perfectly ...

Umm, can i know from my latest log above, is my machine clean already after using MBAM ?


I will do the above once I get back home from office ... 9 hours from now .... :blink:

Once again, Thank you very much !




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users