Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm One Of The New 'wow Account Hacked' People -


  • This topic is locked This topic is locked
5 replies to this topic

#1 gajackson1

gajackson1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 26 May 2008 - 12:05 AM

Hi, and thanks in advance for stopping in.

The title/description says most of it - my fiance & I live together. 2 computers, 2 WoW accounts, 2 separate, dedicated internet lines (same provider, but separate lines - not a home network).

This weekend, her account was hacked/stripped. While we worked on debugging her computer & starting the account recovery/restoration process, mine was identically attacked yesterday. However, my version is, errrm, more virulent (pardon the pun).

Even in safe mode (networked or not), I cannot get the view hidden folders option to stay - it immediately reverts. D/Led & used Sophos anti-rootkit; in safe mode, it will show 21 hidden registry keys that can't be removed(that look like a keylogger to me), but normal mode shows nothing.

I use Windows firewall, Avast with auto-updating, and update/run my SpywareBlaster, Ad-Aware, and Spybot S&D regularly.

The keylogger could have come from a number of places, and I will be moving both her & my comp to very secure versions of firefox tonight, and writing off IE completely. But that is not so much an issue now as is just removing/cleaning this one. Oh, I should mention we live in South Korea, so any 'weird' Korean~esque entries may be related to banking, etc.

If there is any other information I can provide, please ask away. I'll get on with the logs:

DSSMain:

Deckard's System Scanner v20071014.68
Run by glen on 2008-05-26 13:56:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as glen.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:33 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\glen\Desktop\dss.exe
C:\PROGRA~1\Trend Micro\HijackThis\glen.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PassOneHelper Class - {9E7CBC75-9F36-4267-A1D7-0C8339DBF70A} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - http://download.softforum.co.kr/Published/.../xw_install.cab
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/activex/NaverFile.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 7916 bytes

-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 13:34:56 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-26 08:39:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 08:39:21 0 d-------- C:\WINDOWS\LastGood
2008-05-26 08:08:47 0 dr-h----- C:\Documents and Settings\glen\Recent
2008-05-26 01:38:11 0 d-------- C:\Program Files\Sophos
2008-05-25 22:29:44 0 d-------- C:\Program Files\Trend Micro
2008-05-25 22:25:08 0 d-------- C:\Program Files\Panda Security
2008-05-23 19:34:54 100352 -r-hs---- C:\WINDOWS\system32\fool0.dll
2008-05-21 15:00:23 0 d-------- C:\WINDOWS\nview
2008-05-20 20:01:49 0 d-------- C:\WINDOWS\system32\LogFiles
2008-05-14 22:29:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-13 20:55:14 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-13 20:55:14 2545 --a------ C:\WINDOWS\unins000.dat
2008-05-02 20:12:36 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2008-04-30 00:58:11 0 d-------- C:\Program Files\PC Wizard 2008
2008-04-30 00:49:05 0 d-------- C:\Documents and Settings\LocalService\Desktop


-- Find3M Report ---------------------------------------------------------------

2008-05-26 13:34:54 0 d-------- C:\Documents and Settings\glen\Application Data\Mozilla
2008-05-26 01:14:32 0 d-------- C:\Program Files\SpywareBlaster
2008-05-25 21:05:48 193747 --a------ C:\Documents and Settings\glen\Application Data\Cosmos Prefs
2008-05-25 02:42:23 0 d-------- C:\Documents and Settings\glen\Application Data\U3
2008-05-25 00:48:25 0 d--h----- C:\Program Files\BPK
2008-05-23 18:57:59 0 d-------- C:\Documents and Settings\glen\Application Data\StarOffice8
2008-05-21 15:08:40 0 d-------- C:\Program Files\SpeedFan
2008-05-21 14:54:39 0 d-------- C:\Program Files\Last.fm
2008-05-02 20:13:10 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-05-02 17:53:12 4620 --a------ C:\WINDOWS\XChange.dat
2008-05-01 22:49:46 0 d-------- C:\Program Files\Zlango Pic-Talk
2008-05-01 10:26:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-21 14:47:11 0 d-------- C:\Program Files\MP3Fitness
2008-04-21 14:43:51 0 d-------- C:\Program Files\iMiniMe
2008-04-21 13:57:52 1116 -ra------ C:\WINDOWS\system32\inkacert.sys
2008-04-20 10:50:43 0 d-------- C:\Program Files\MSECache
2008-04-20 09:56:05 0 d-------- C:\Program Files\Microsoft Works
2008-04-20 09:51:38 0 d-------- C:\Program Files\Guilford Publications, Inc
2008-04-20 09:46:39 0 d-------- C:\Program Files\Common Files
2008-04-20 09:46:39 0 d-------- C:\Program Files\Common Files\L&H
2008-04-20 09:46:23 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-20 09:44:17 0 d-------- C:\Program Files\Microsoft.NET
2008-04-17 18:47:59 0 d-------- C:\Program Files\Winamp
2008-04-08 17:43:43 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-08 17:39:02 0 d-------- C:\Program Files\PowerStrip
2008-04-07 22:38:21 0 d-------- C:\Program Files\NVIDIA Corporation
2008-04-07 22:37:40 0 d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-04-07 16:06:15 0 d-------- C:\Program Files\Winamp Remote
2008-04-04 02:02:23 0 d-------- C:\Program Files\AlienGUIse
2008-04-04 01:52:05 0 d-------- C:\Program Files\Common Files\Stardock
2008-04-02 20:47:01 0 d-------- C:\Program Files\AvRack


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E7CBC75-9F36-4267-A1D7-0C8339DBF70A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 09:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 09:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 09:00 PM]
"PowerStrip"="c:\program files\powerstrip\pstrip.exe" [07/14/2007 06:35 PM]
"SoundMan"="SOUNDMAN.EXE" [01/11/2006 03:08 PM C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/15/2006 10:32 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"avast!"="C:\Program Files\Alwil Software\Avast4\ashDisp.exe" [05/16/2008 08:19 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 09:00 PM]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [04/24/2008 01:19 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/15/2007 07:19 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 12/20/2001 11:34 PM 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^glen^Start Menu^Programs^Startup^Last.fm Helper.lnk]
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCManagerPlus]
C:\Anycall\Anycall PC Manager\MINI\PCManagerPlus.exe /AUTOEXEC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
C:\Program Files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedBitVideoAccelerator]
"C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- 6isba62q.cmd
explore\Command- 6isba62q.cmd
open\Command- 6isba62q.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- 6isba62q.cmd
explore\Command- 6isba62q.cmd
open\Command- 6isba62q.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4144ae40-287c-11dd-8c1c-00138f3c98b0}]
AutoRun\command- H:\h8txw.exe
explore\Command- H:\h8txw.exe
open\Command- H:\h8txw.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fda0ae8d-dad5-11da-9203-806d6172696f}]
AutoRun\command- 6isba62q.cmd
explore\Command- 6isba62q.cmd
open\Command- 6isba62q.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fda0ae8e-dad5-11da-9203-806d6172696f}]
AutoRun\command- 6isba62q.cmd
explore\Command- 6isba62q.cmd
open\Command- 6isba62q.cmd




-- End of Deckard's System Scanner: finished at 2008-05-26 13:56:56 ------------



DSSExtra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 18%
Physical Memory (total/avail): 2047.23 MiB / 1673.82 MiB
Pagefile Memory (total/avail): 4967.53 MiB / 4697.02 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1913.17 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 48.83 GiB total, 8.15 GiB free.
D: is Fixed (NTFS) - 97.65 GiB total, 44.49 GiB free.
E: is Fixed (FAT32) - 2.55 GiB total, 1.46 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1600BB-22GUC0 - 149.05 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 48.83 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 100.21 GiB - D: - E:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.
FirewallOverride is set.

AV: avast! antivirus 4.8.1201 [VPS 080525-0] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"D:\\Program Files\\World of Warcraft\\Launcher.exe"="D:\\Program Files\\World of Warcraft\\Launcher.exe:*:Enabled:World of Warcraft"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:Last.fm"
"D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\CreativesFiles\\Shareaza.exe"="C:\\CreativesFiles\\Shareaza.exe:*:Enabled:Shareaza Ultimate File Sharing"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorService.exe"="C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorService.exe:*:Enabled:VideoAcceleratorService"
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"="C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe:*:Enabled:VideoAccelerator"
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"="C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe:*:Enabled:VideoAcceleratorService"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\glen\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MY_COMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
DBCONFIG=D:\adabas\sql
DBROOT=D:\adabas\
DBWORK=D:\adabas\sql
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\glen
LOGONSERVER=\\MY_COMPUTER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;D:\adabas\bin;D:\adabas\pgm
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\glen\LOCALS~1\Temp
TMP=C:\DOCUME~1\glen\LOCALS~1\Temp
USERDOMAIN=MY_COMPUTER
USERNAME=glen
USERPROFILE=C:\Documents and Settings\glen
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

glen (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3ivx D4 4.5.1 (remove only) --> "C:\Program Files\3ivx\3ivx D4 4.5.1\uninstall.exe"
9Dragons --> MsiExec.exe /I{EB0508A0-162A-4996-85A1-00C07D33445A}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adabas D 13.01.00 --> MsiExec.exe /X{5C52CED3-D45C-4DA9-932F-B91BD44BB461}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader Korean Fonts --> MsiExec.exe /I{AC76BA86-7AD7-5670-0000-7E8A45000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE C:\WINDOWS\system32\Macromed\Shockwave 10\Install.log
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
AlienGUIse Theme Manager --> C:\PROGRA~1\AlienGUIse\thememgr.exe /uninstallwise
Anycall PC Manager Plus --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39C172CD-26A6-41CF-BC69-3E988312680E}\Setup.exe" -l0x9
Auctioneer AddOns --> D:\Program Files\World of Warcraft\Auctioneer Uninstaller.exe
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Cacheman 5.50 --> C:\PROGRA~1\Cacheman\UNWISE.EXE C:\PROGRA~1\Cacheman\install.dat
Calculator Powertoy for Windows XP --> MsiExec.exe /I{B37C842A-B624-46B8-A727-654E72F1C91A}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ClearType Tuning Control Panel Applet --> MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Confidence Online™ for Web Applications --> C:\Documents and Settings\glen\Application Data\WholeSecurity\CAT\WSUIEE.exe
Digimax35 MP3 --> C:\WINDOWS\system32\UNWISE.EXE C:\WINDOWS\system32\DigiMax.LOG
Digital Camera Enhancer --> "C:\Program Files\DCEnhancer\unins000.exe"
FormatEase --> MsiExec.exe /I{D4D2FCA7-6B29-498D-AEB4-CAA8D2272E9D}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp deskjet 656c series (Remove only) --> C:\Program Files\hp deskjet 656c series\hpfiui.exe -c -vdivid=HPF -vpnum=89 -vinstport=USB001 -vproduct=656c -huninstall
HTML Slideshow Powertoy for Windows XP --> MsiExec.exe /I{4E475FD4-4513-4B1D-8DDA-43912B068C99}
IBM ViaVoice TTS Runtime v5.0 - US English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A81E8E0-3067-11D2-ACE4-08005ACF5219}\Setup.exe"
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
iMiniMe Ver 3.01.01 --> "C:\Program Files\iMiniMe\unins000.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
IZArc 3.5 beta 3 --> "C:\Program Files\IZArc\unins000.exe"
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Last.fm 1.5.0.24910 --> "C:\Program Files\Last.fm\unins000.exe"
LifeFX Player --> C:\PROGRA~1\LifeFX\lfxutil.exe /uninstall
Magnifier Powertoy for Windows XP --> MsiExec.exe /I{2FBF04DC-404C-4FA4-BA28-99903080D2B9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MP3Fitness Ver. 2.0 --> "C:\Program Files\MP3Fitness\unins000.exe"
Myscan 5400 Driver --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\TWAIN_32\Myscan5400\Uninst.isu
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
nProtect KeyCrypt --> C:\WINDOWS\system32\npkuninst.exe
nProtect Netizen(remove only) --> C:\WINDOWS\system32\npnuninst.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0 --> "C:\Program Files\Orban\AAC-aacPlus Plugin\unins000.exe"
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC Wizard 2008.1.84 --> "C:\Program Files\PC Wizard 2008\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerStrip 3 (remove only) --> C:\Program Files\PowerStrip\uninstal.exe
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\Intel 32\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
Realtek AC'97 Audio --> Alcrmv.exe -r -m
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
RivaTuner v2.02 --> "C:\Program Files\RivaTuner v2.02\uninstall.exe"
Samsung Anycall CDMA Driver --> C:\WINDOWS\SamsungUSBDriver\SAMSUNG CDMA USB 4.40\Uninstall.exe -cdma
Samsung Anycall HSP Driver --> C:\WINDOWS\SamsungUSBDriver\SAMSUNG HSP 2.1.0\Uninstall.exe -hsp
Samsung Anycall HSP Plus Driver --> C:\WINDOWS\SamsungUSBDriver\SAMSUNG HSP Plus 2.5.0\Uninstall.exe -hspplus
Samsung e-maxManager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2106CE00-FA53-11D3-98CC-0050BAC15A84}\setup.exe" -uninst
SAMSUNG Mobile Modem Driver Set --> C:\Program Files\SAMSUNG\SAMSUNG Mobile Modem\SSCDUninstall.exe
Shareaza 2.3.1.0 --> "C:\CreativesFiles\Uninstall\unins000.exe"
Slideshow Generator Powertoy for Windows XP --> MsiExec.exe /I{C39DE425-6CCF-4B12-A101-3CB5CF3AF3AD}
SoftCamp Secure KeyStroke 4.0 --> C:\WINDOWS\system32\UnSCSK.exe
Sophos Anti-Rootkit 1.3.1 --> C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe remove
SpeedBit Video Accelerator --> C:\PROGRA~1\SpeedBit Video Accelerator\UNWISE.EXE C:\PROGRA~1\SpeedBit Video Accelerator\INSTALL.LOG
SpeedFan (remove only) --> "C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
StarOffice 8 --> MsiExec.exe /I{4BC1CB2B-FDCE-4DB4-A557-BA8127569B0D}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
TextBridge Pro Millennium --> MsiExec.exe /I{5AB1BFD2-819E-11D3-80D9-00C04F559BE6}
Timershot Powertoy for Windows XP --> MsiExec.exe /I{A743BBCC-3438-4BB3-8397-6C9D9AC125A6}
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Ulead Photo Express 4.0 My Custom Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21BCE515-D5A3-11D4-8E33-0010B53EC668}\setup.exe"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Ventrilo Server --> MsiExec.exe /I{1D46A3A0-B37D-423A-91C2-101A49E2FF80}
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VIA Rhine-Family Fast-Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Winamp Remote --> "C:\Program Files\Winamp Remote\uninstall.exe"
WinASO Registry Optimizer 2.6 --> "C:\Program Files\WinASO\Registry Optimizer 2.6\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Photo Gallery --> MsiExec.exe /X{257E440F-781F-459B-9A68-A0872B80C1D6}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Writer --> MsiExec.exe /X{9176251A-4CC1-4DDB-B343-B487195EB397}
xp-AntiSpy 3.95-2 --> C:\Program Files\xp-AntiSpy\Uninstall.exe
XPayMPI 2.0.1.1 --> "C:\Program Files\SoftForum\XPayMPI\uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type8045 / Success
Event Submitted/Written: 05/25/2008 08:59:20 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type8038 / Error
Event Submitted/Written: 05/24/2008 00:41:27 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type7990 / Success
Event Submitted/Written: 05/22/2008 08:41:48 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type7957 / Success
Event Submitted/Written: 05/21/2008 03:13:14 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type7924 / Success
Event Submitted/Written: 05/15/2008 11:08:58 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type19102 / Error
Event Submitted/Written: 05/26/2008 08:09:58 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Digimax35 MP3 service failed to start due to the following error:
%%1058

Event Record #/Type19101 / Error
Event Submitted/Written: 05/26/2008 08:09:58 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Digimax35 MP3 USB Service service failed to start due to the following error:
%%1058

Event Record #/Type19097 / Error
Event Submitted/Written: 05/26/2008 08:07:28 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type19096 / Error
Event Submitted/Written: 05/26/2008 01:43:08 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type19095 / Error
Event Submitted/Written: 05/26/2008 01:42:23 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}



-- End of Deckard's System Scanner: finished at 2008-05-26 08:22:13 ------------

KasperLog:

Monday, May 26, 2008 1:34:19 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/05/2008
Kaspersky Anti-Virus database records: 800334
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics
Total number of scanned objects 72039
Number of viruses found 4
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 01:59:23

Infected Object Name Virus Name Last Action
C:\autorun.inf Infected: Trojan.Win32.Vaklik.akp skipped
C:\Documents and Settings\glen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\glen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\glen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\glen\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\glen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\glen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\glen\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NMP9JP0U\va21[1].exe/WISE0009.BIN Infected: not-a-virus:AdTool.Win32.MyWebSearch.bk skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NMP9JP0U\va21[1].exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NMP9JP0U\va21[1].exe WiseSFXDropper: infected - 1 skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{32C884FF-2954-4EE1-B468-246771D12AD4}\RP656\A0083985.inf Infected: Trojan.Win32.Vaklik.akp skipped
C:\System Volume Information\_restore{32C884FF-2954-4EE1-B468-246771D12AD4}\RP658\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_504.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\217227ed23a775c24d3b\sp1\update\spcustom.dll Object is locked skipped
D:\217227ed23a775c24d3b\sp1\update\update.exe Object is locked skipped
D:\84ab5122866d3f655a62e514d793cbe0\sp1\update\spcustom.dll Object is locked skipped
D:\84ab5122866d3f655a62e514d793cbe0\sp1\update\update.exe Object is locked skipped
D:\autorun.inf Infected: Trojan.Win32.Vaklik.akp skipped
D:\c29aac601e7dcd39fc28e04\sp1\update\spcustom.dll Object is locked skipped
D:\c29aac601e7dcd39fc28e04\sp1\update\update.exe Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
D:\System Volume Information\catalog.wci\00010003.ci Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
D:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{C097796C-0940-4D3A-96F6-002DD7E622E9}\RP195\A0053329.exe/data0015/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
D:\System Volume Information\_restore{C097796C-0940-4D3A-96F6-002DD7E622E9}\RP195\A0053329.exe/data0015/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
D:\System Volume Information\_restore{C097796C-0940-4D3A-96F6-002DD7E622E9}\RP195\A0053329.exe/data0015/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
D:\System Volume Information\_restore{C097796C-0940-4D3A-96F6-002DD7E622E9}\RP195\A0053329.exe/data0015/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
D:\System Volume Information\_restore{C097796C-0940-4D3A-96F6-002DD7E622E9}\RP195\A0053329.exe/data0015/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
D:\System Volume Information\_restore{C097796C-0940-4D3A-96F6-002DD7E622E9}\RP195\A0053329.exe/data0015 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
D:\System Volume Information\_restore{C097796C-0940-4D3A-96F6-002DD7E622E9}\RP195\A0053329.exe NSIS: infected - 6 skipped
E:\autorun.inf Infected: Trojan.Win32.Vaklik.akp skipped
Scan process completed.


Thanks for the help! I feel fine with registry editing & other basic operations.

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:05 PM

Posted 27 May 2008 - 09:07 PM

Hello gajackson1 and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - MountPoints2
      Reg - NeverShowExt Settings
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 gajackson1

gajackson1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 04 June 2008 - 09:09 AM

Greatly appreciated, OT - I think I may have wrangled a lot of it on my own, but would appreciate a second (and probably much more qualified) opinion -

Before you posted up your instructions, I started looking into trying to solve it myself. I began with removing whatever virus traces I could with online tools, and doing registry editing tricks. This wound up costing me most of my device autoruns, which was a painful restoration process :)

However, it seemed to have worked - after I *thought* all was clean, I downloaded Firefox, with NoScript, AdBlocker Plus, and Keyscrambler 2.0 Personal additions (with the extra plugin for IE). I updated all the microsoft components. Did a few extra scans in safe mode & networked safe mode, using different online & offline scanners/fix tools. Used CC to tidy the registry after each reboot.

Once I felt it was safe (around the 28th my timezone), I set about changing all my passwords using the Keyscrambler-enabled Firefox along with the On-screen Keyboard.

For the past week, Firefox has taken some getting used to, but seems to be doing the trick. The vulnerability was in tainted AdobeFlash advertising - fiancee & I were just 2 of thousands of people targeted/hit by the keyloggers/bots/hackers; we have since updated all of our software/apps, trying to plug any similar vulnerability holes.

Otherwise, I followed your instructions exactly (but was sorely tempted to check the 'scan all users' box :thumbsup: ), and attached the OT text as requested So, if there is anything I missed, just let me know!

Regards,

Glen

Attached Files



#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:05 PM

Posted 04 June 2008 - 11:35 AM

Hi gajackson1. Everything looks pretty good. Just a couple of leftovers to take care of:

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersProfile%\Application Data\TEMP:CB0AACC9
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Close OTScanIt.

Now let's do some final cleanup to reset the System Restore points and remove all of the tools we used during the fix and then you are all set.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Step #2

To remove all of the tools we used and the files and folders they created do the following:
  • Start OTScanIt
    Click the CleanUp button
  • OTScanIt will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
  • OTScanIt will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.
After that you are good to go.

Cheers and Happy Computing!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 gajackson1

gajackson1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 05 June 2008 - 05:54 PM

Excellent, OT!

We try, as more casual users, to keep up our systems as best as possible. About 2-3 years ago, our machines got COMPLETELY botted/zombied - the kind where you unplug everything, and have to call MS when it is all done to re-activate your Windows stuff >.<

So when this happened, I got on it as quick as I could. I appreciate the help & the service you all provide here.

Regards from Seoul,

Glen & Christina

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:05 PM

Posted 06 June 2008 - 09:34 AM

You are very welcome gajackson1, I'm glad that we could help.

I will now close this topic. If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users