Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Found An Adware But Couldn't Remove It Totally


  • This topic is locked This topic is locked
25 replies to this topic

#1 user109s

user109s

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 31 May 2008 - 11:11 AM

Hi,

I found a pop-up adware in my computer and I did run Ad-Aware 2007, NOD32 and the recent one; Avira anti-virus. 3 of them did get rid something but forgot the original pop-up adware's name.

I don know how it infected my system cos when I surfnet, I will use guest account to do my interneting. Unless the adware or malware found a way to install itself at guest account. I have NOD32 and Ad-Aware 2007 run but they didn't detect anything untill I got pop-up. I re-run the scanning and both found something and have them removed. I aslo ran online from trend-micro and it didn't find anything also.

Although now I didn't found anthing but do feel my pc sluggish.. :thumbsup: Need some advise.
Here is the Hijack log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:02 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files2\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files2\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files2\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
D:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\eagle2.EXE
D:\Program Files2\Acronis\TrueImageHome\TrueImageMonitor.exe
D:\Program Files2\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files2\RivaTuner v2.09\RivaTuner.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Files2\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Program Files2\MagicDisc\MagicDisc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - d:\Program Files2\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files2\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {EFBEC6AF-1BE0-4D04-914C-41934C4AF581} - C:\WINDOWS\system32\amstrea.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files2\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SideWinderTrayV4] d:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [BigDog302] C:\WINDOWS\eagle2.EXE PROLINK USB PC Camera (ZC0302)
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files2\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files2\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" /T
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [Ad-Watch] D:\Program Files2\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "d:\Program Files2\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [NoAdware5] "D:\Program Files2\NoAdware5.0\NoAdware5.exe" :Min:
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = D:\Program Files2\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &Download by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files2\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files2\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://sgcam.dyndns.biz/activex/AMC.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: iSecurity.cpl
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files2\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - D:\Program Files2\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NBService - Nero AG - D:\Program Files2\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files2\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 13329 bytes

Edit:

Now is more strange thing occurs, the windows's 'windows security center' pop-up from time to time and claimed that it lost the defender and fixer. And repeated ask to reinstall them. It shall not pop-up at all because I remembered I have disable in the admin tools! Something is wrong but I'm unable to do anything about it! :)

Thanks.

Edited by user109s, 01 June 2008 - 10:35 AM.


BC AdBot (Login to Remove)

 


#2 user109s

user109s
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 04 June 2008 - 09:04 PM

Here is the latest update from Hijackthis log due to some change of AV.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:04 AM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files2\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files2\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
D:\Program Files2\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
D:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\eagle2.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
D:\Program Files2\RivaTuner v2.09\RivaTuner.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Files2\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
D:\Program Files2\MagicDisc\MagicDisc.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - d:\Program Files2\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {EFBEC6AF-1BE0-4D04-914C-41934C4AF581} - C:\WINDOWS\system32\amstrea.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files2\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SideWinderTrayV4] d:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [BigDog302] C:\WINDOWS\eagle2.EXE PROLINK USB PC Camera (ZC0302)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" /T
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [Ad-Watch] D:\Program Files2\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "d:\Program Files2\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [NoAdware5] "D:\Program Files2\NoAdware5.0\NoAdware5.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = D:\Program Files2\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &Download by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://sgcam.dyndns.biz/activex/AMC.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: iSecurity.cpl
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files2\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - D:\Program Files2\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NBService - Nero AG - D:\Program Files2\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files2\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 11667 bytes


Thanks.

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 06 June 2008 - 04:41 PM

HI

Your log shows evidence of a variant of the win32 IRCBOT ...

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#4 user109s

user109s
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 07 June 2008 - 01:43 AM

Hi,

Thank you for your reply, appreciated :thumbsup:

Here is the report from SDFIX;


SDFix: Version 1.188
Run by User on Sat 06/07/2008 at 02:11 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :

Name :
NtmlSvc

Path :
%SystemRoot%\System32\svchost.exe -k netsvcs

NtmlSvc - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\runner.bat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 14:27:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0011b107bdce]
"001adccd677f"=hex:df,6d,49,27,6e,d2,ac,ed,ca,cb,db,00,7e,04,53,3a
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vax347s\Config\jdgg40]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0011b107bdce]
"001adccd677f"=hex:df,6d,49,27,6e,d2,ac,ed,ca,cb,db,00,7e,04,53,3a

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120% (Trial Version)"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\h]
"\x2039\x2039T\x20ac`"=dword:00000001
"\x2039\x2039\x201c\x008feQ"=dword:00000001
"\20\x90\20nc:y"=dword:00000001
"\26Y\1xc:y"=dword:00000001
"czz<h"=dword:00000000
"IQ\ah\x8d\x8f\x2013"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"c:\\windows\\system32\\nvsvc7.exe"="c:\\windows\\system32\\nvsvc7.exe:*:Enabled:nvsvc7"
"d:\\Program Files2\\Orbitdownloader\\orbitdm.exe"="d:\\Program Files2\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"
"d:\\Program Files2\\Orbitdownloader\\orbitnet.exe"="d:\\Program Files2\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 21 Jul 2007 8 ..SHR --- "C:\WINDOWS\system32\777F017622.sys"
Sat 21 Jul 2007 4,184 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 23 May 2008 19,968 ...H. --- "C:\Documents and Settings\iamguest\Desktop\~WRL0004.tmp"
Thu 1 May 2008 888 ...HR --- "C:\Documents and Settings\User\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!


Thanks.

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 07 June 2008 - 04:05 PM

Hi

Some HAS been removed ... some hasn't ... I need you to run some more scans for me ... this may seem a lot, but it is neccessary if you want a clean computer ...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 user109s

user109s
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 11 June 2008 - 07:51 PM

Hi steamwiz,

This is the SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 06/11/2008 at 01:48 AM

Application Version : 4.15.1000

Core Rules Database Version : 3478
Trace Rules Database Version: 1469

Scan type : Complete Scan
Total Scan Time : 00:22:42

Memory items scanned : 365
Memory threats detected : 0
Registry items scanned : 6557
Registry threats detected : 0
File items scanned : 61700
File threats detected : 134

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@mediafire[1].txt
C:\Documents and Settings\User\Cookies\user@richmedia.yahoo[1].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
C:\Documents and Settings\User\Cookies\user@linkto.mediafire[1].txt
C:\Documents and Settings\User\Cookies\user@ads.us.e-planning[1].txt
C:\Documents and Settings\User\Cookies\user@tradedoubler[1].txt
C:\Documents and Settings\User\Cookies\user@zedo[1].txt
C:\Documents and Settings\User\Cookies\user@display.mediafire[2].txt
C:\Documents and Settings\User\Cookies\user@myroitracking[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@ad.yieldmanager[2].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@ad.yieldmanager[3].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@adbrite[2].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@adnetserver[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@ads.clicksor[2].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@atdmt[2].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@crackserialkeygen[2].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@cracks[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@cracktorrentserial[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@crack[2].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@easy-xxx[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@easycracks[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@forums.hardwarezone.com[2].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@hardwarezone.com[2].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@hardwarezone[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@myroitracking[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@richmedia.yahoo[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@toplist[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@tradedoubler[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@w5awarez[1].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@warezlinkers[2].txt
C:\Documents and Settings\iamguest\Cookies\iamguest@warezreleases[1].txt

Adware.Rogue-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000001.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000002.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000003.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000017.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000018.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000019.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000023.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000024.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000025.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000085.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000086.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP1\A0000087.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP11\A0000599.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP11\A0000600.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP11\A0000601.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP11\A0000609.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP11\A0000610.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP11\A0000611.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP12\A0000668.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP12\A0000669.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP12\A0000670.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP14\A0000912.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP14\A0000913.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP14\A0000914.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP15\A0001086.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP15\A0001087.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP15\A0001089.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP18\A0001142.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP18\A0001143.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP18\A0001145.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001160.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001162.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001164.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001168.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001169.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001170.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001179.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001180.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001181.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001195.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001199.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001200.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP19\A0001201.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP2\A0000098.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP2\A0000099.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP2\A0000100.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP2\A0000107.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP2\A0000108.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP2\A0000109.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP20\A0001218.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP20\A0001219.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP20\A0001220.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP20\A0001235.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP20\A0001236.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP20\A0001237.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP20\A0001246.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP20\A0001247.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP20\A0001248.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP21\A0001258.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP21\A0001259.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP21\A0001260.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP21\A0001276.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP21\A0001277.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP21\A0001278.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP21\A0001283.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP21\A0001284.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP21\A0001285.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP4\A0000227.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP4\A0000228.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP4\A0000229.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP5\A0000245.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP5\A0000246.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP5\A0000247.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP5\A0000257.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP5\A0000258.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP5\A0000259.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP8\A0000509.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP8\A0000510.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP8\A0000511.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP9\A0000540.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP9\A0000541.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP9\A0000542.LNK

Trace.Known Threat Sources
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\JG1PN08K\glb[1].gif
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\WZ3BI4P5\index[1].htm
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\3BXJVPWW\managers[1].htm
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\MTQ76HWS\crypt[1].htm
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\JG1PN08K\progressbar[1].htm
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\CNGBKBU3\shkaladelenie[1].gif
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\684VGT8I\head[1].gif
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\QV6JYDER\box[2].gif
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\5WJ2R3TR\CAEL0VKB.htm
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\684VGT8I\stats[1].jpg
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\QV6JYDER\CAHOGV91.htm
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\C9UVG9QB\bg[1].gif
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\AVT3CYOG\lupa[1].gif
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\QV6JYDER\common[1].htm
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\JRGW2ZD2\botton_03[1].gif
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\IJJ76D2U\shld[1].gif
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\65FG1KBQ\ajax[1].htm
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\WZ3BI4P5\a[1].gif
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\4J83Q7SL\folder[1].gif
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\0D6LY1W9\shield[1].gif
C:\Documents and Settings\iamguest\Local Settings\Temporary Internet Files\Content.IE5\MTQ76HWS\CA18G7TP.htm


This the KASPERSKY ONLINE SCANNER 7 REPORT

KASPERSKY ONLINE SCANNER 7 REPORT

Wednesday, June 11, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, June 11, 2008 13:51:50 Records in database: 851911
Scan settings Scan using the following database Scan archives Scan mail databases extended yes yes
Scan area Folder
C:\WINDOWS
Scan statistics
Files scanned Threat name Infected objects Suspicious objects Duration of the scan 17684 1 1 0 00:12:07
File name Threat name Threats count
C:\WINDOWS\system32\autoshutdown.exe Infected: HackTool.Win32.PHPWind.f 1
The selected area was scanned.

file://C:\Documents and Settings\User\Desktop\Kaspersky scanned report.html
6/12/2008




This the report from Malwarebyte's anti-malware;

Malwarebytes' Anti-Malware 1.17
Database version: 849

8:11:01 AM 6/12/2008
mbam-log-6-12-2008 (08-11-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 99986
Time elapsed: 10 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{048BDA15-3E03-4FC4-AA79-9D88C8A9C444}\RP21\A0001290.cpl (Rogue.ISecurity) -> Quarantined and deleted successfully.

I will submit the combofix report later on, thx.

#7 user109s

user109s
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 11 June 2008 - 08:06 PM

Hi steamwiz,

This the combofix report;


ComboFix 08-06-10.5 - User 2008-06-12 8:51:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3042 [GMT 8:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

** Just got it installed. I wonder why this feature was not installed when the first setup pf my PC... :thumbsup:
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-12 08:31 . 2007-07-10 14:14 2,245,000 --a------ C:\WINDOWS\system32\bgsview.exe
2008-06-12 08:31 . 2007-02-03 12:00 516,832 --a------ C:\WINDOWS\system32\bgscapi.dll
2008-06-12 08:31 . 2007-07-10 14:00 455,048 --a------ C:\WINDOWS\system32\bgsofice.dll
2008-06-12 08:31 . 2007-07-10 14:01 270,728 --a------ C:\WINDOWS\system32\bgstb.dll
2008-06-12 08:31 . 2007-07-10 14:00 160,136 --a------ C:\WINDOWS\system32\bgsmsnd.exe
2008-06-12 08:31 . 2007-07-10 14:01 65,928 --a------ C:\WINDOWS\system32\bgsresfr.dll
2008-06-12 08:31 . 2007-07-10 14:01 65,928 --a------ C:\WINDOWS\system32\bgsreses.dll
2008-06-12 08:31 . 2007-07-10 14:01 65,928 --a------ C:\WINDOWS\system32\bgsresde.dll
2008-06-12 08:31 . 2007-07-10 14:00 57,736 --a------ C:\WINDOWS\system32\bgspmnt.dll
2008-06-12 08:31 . 2007-07-10 14:01 56,200 --a------ C:\WINDOWS\system32\bgsresen.dll
2008-06-11 01:19 . 2008-06-11 01:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-11 01:18 . 2008-06-11 01:18 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-06-07 14:10 . 2008-06-07 14:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-07 14:04 . 2008-06-07 14:10 <DIR> d-------- C:\SDFix
2008-06-07 14:03 . 2008-06-07 14:03 1,436,455 --a------ C:\SDFix.exe
2008-06-07 13:10 . 2008-06-07 13:10 <DIR> d-------- C:\Deckard
2008-06-06 23:32 . 2008-06-06 23:32 165,376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-06-06 23:32 . 2008-06-06 23:32 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-06-06 22:54 . 2008-06-06 22:54 <DIR> d-------- C:\Program Files\Atari
2008-06-05 16:51 . 2008-06-05 16:51 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-06-05 16:51 . 2008-06-05 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 16:51 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 16:51 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-31 23:52 . 2008-05-31 23:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-31 23:37 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-31 21:29 . 2007-06-01 23:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-29 00:25 . 2008-06-10 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-29 00:22 . 2007-06-02 22:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 00:50 --------- d-----w C:\Documents and Settings\User\Application Data\Orbit
2008-06-10 17:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 17:01 1,228 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-06-10 16:57 --------- d-----w C:\Documents and Settings\iamguest\Application Data\Orbit
2008-06-06 15:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 12:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-31 15:42 --------- d-----w C:\Program Files\Java
2008-05-28 16:22 --------- d-----w C:\Documents and Settings\User\Application Data\URSoft
2008-05-01 08:38 --------- d-----w C:\Documents and Settings\User\Application Data\Command & Conquer 3 Kane's Wrath
2008-05-01 08:33 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-27 05:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2007-06-02 14:10 127,568 ----a-w C:\Program Files\iSecurity.rar
2007-07-20 18:00 8 --sh--r C:\WINDOWS\system32\777F017622.sys
2007-07-20 18:00 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFBEC6AF-1BE0-4D04-914C-41934C4AF581}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 11:12 139264]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"SUPERAntiSpyware"="D:\Program Files2\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12 2658304]
"QuickTime Task"="D:\Program Files2\QuickTime\qttask.exe" [2007-07-21 01:58 282624]
"SideWinderTrayV4"="d:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe" [2000-06-28 15:41 24649]
"BigDog302"="C:\WINDOWS\eagle2.exe" [2007-01-09 11:59 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"RivaTunerStartupDaemon"="D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" [2008-04-29 02:25 2707456]
"RivaTuner"="D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" [2008-04-29 02:25 2707456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Ad-Watch"="D:\Program Files2\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-06-02 22:31 4579328]
"bgsmsnd.exe"="C:\WINDOWS\system32\bgsmsnd.exe" [2007-07-10 14:00 160136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-09 01:12:44 113664]
MagicDisc.lnk - D:\Program Files2\MagicDisc\MagicDisc.exe [2007-11-04 23:06:53 557568]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2007-06-16 04:14:57 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files2\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files2\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files2\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-02-16 18:49 149024 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-02-16 18:57 1945960 D:\Program Files2\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2007-06-02 22:31 4579328 D:\Program Files2\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iSecurity applet]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-01 00:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-02-16 18:45 1169776 D:\Program Files2\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files2\\Orbitdownloader\\orbitdm.exe"=
"d:\\Program Files2\\Orbitdownloader\\orbitnet.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2005-12-15 18:13]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2005-12-15 18:01]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\system32\DRIVERS\SWUSBFLT.sys [2001-08-17 14:02]
S3 ZSMC302;PROLINK USB PC Camera (ZC0302);C:\WINDOWS\system32\Drivers\usbVM302.sys [2007-01-24 15:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2142c5aa-f88c-11dc-9b34-001731a7200d}]
\Shell\AutoRun\command - J:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 08:57:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files2\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files2\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files2\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-12 8:59:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-12 00:59:46

Pre-Run: 180,801,536 bytes free
Post-Run: 338,780,160 bytes free

176


Thanks.

Edited by user109s, 11 June 2008 - 08:19 PM.


#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 12 June 2008 - 02:32 PM

Hi

RE:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

** Just got it installed. I wonder why this feature was not installed when the first setup pf my PC...


The recovery console is not installed automatically with windows, if you installed windows from a disc, then you should have had the option to install it. you can use the disc (if you have one) or download a file from Microsoft & have Combofix install it for you... it will only be used in the unlikely event that one day in the future windows will not boot, having the recovery console installed may save you having to reinstall...

-
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\Program Files\iSecurity.rar

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFBEC6AF-1BE0-4D04-914C-41934C4AF581}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iSecurity applet]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-

Your logs are pretty clean, I would like you to run the Kaspersky Online Scan again, and this time select :-

This time when you see select a target to scan:

Select My Computer

NOT C:\WINDOWS

It will perform a much better scan :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 user109s

user109s
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 14 June 2008 - 01:03 PM

Hi steamwiz,

Scanned result... I will do an online scan later on. Just curious, what is the possiblity the malwares hide to the other drives but not c drive. Can they self activate from other drives? :thumbsup:

ComboFix 08-06-10.5 - User 2008-06-15 1:49:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3112 [GMT 8:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 20:40 . 2008-06-15 01:08 250 --a------ C:\WINDOWS\gmer.ini
2008-06-12 12:13 . 2008-06-12 12:13 <DIR> d-------- C:\Documents and Settings\User\Application Data\Thinstall
2008-06-12 11:36 . 2008-06-12 11:36 <DIR> d-------- C:\WINDOWS\WinAVI Video Converter 9.0
2008-06-12 08:31 . 2007-07-10 14:14 2,245,000 --a------ C:\WINDOWS\system32\bgsview.exe
2008-06-12 08:31 . 2007-02-03 12:00 516,832 --a------ C:\WINDOWS\system32\bgscapi.dll
2008-06-12 08:31 . 2007-07-10 14:00 455,048 --a------ C:\WINDOWS\system32\bgsofice.dll
2008-06-12 08:31 . 2007-07-10 14:01 270,728 --a------ C:\WINDOWS\system32\bgstb.dll
2008-06-12 08:31 . 2007-07-10 14:00 160,136 --a------ C:\WINDOWS\system32\bgsmsnd.exe
2008-06-12 08:31 . 2007-07-10 14:01 65,928 --a------ C:\WINDOWS\system32\bgsresfr.dll
2008-06-12 08:31 . 2007-07-10 14:01 65,928 --a------ C:\WINDOWS\system32\bgsreses.dll
2008-06-12 08:31 . 2007-07-10 14:01 65,928 --a------ C:\WINDOWS\system32\bgsresde.dll
2008-06-12 08:31 . 2007-07-10 14:00 57,736 --a------ C:\WINDOWS\system32\bgspmnt.dll
2008-06-12 08:31 . 2007-07-10 14:01 56,200 --a------ C:\WINDOWS\system32\bgsresen.dll
2008-06-11 01:19 . 2008-06-11 01:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-11 01:18 . 2008-06-11 01:18 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-06-07 14:10 . 2008-06-07 14:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-07 14:04 . 2008-06-07 14:10 <DIR> d-------- C:\SDFix
2008-06-07 14:03 . 2008-06-07 14:03 1,436,455 --a------ C:\SDFix.exe
2008-06-07 13:10 . 2008-06-07 13:10 <DIR> d-------- C:\Deckard
2008-06-06 23:32 . 2008-06-06 23:32 165,376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-06-06 23:32 . 2008-06-06 23:32 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-06-06 22:54 . 2008-06-06 22:54 <DIR> d-------- C:\Program Files\Atari
2008-06-05 16:51 . 2008-06-05 16:51 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-06-05 16:51 . 2008-06-05 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 16:51 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 16:51 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-31 23:52 . 2008-05-31 23:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-31 23:37 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-31 21:29 . 2007-06-01 23:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-29 00:25 . 2008-06-10 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-29 00:22 . 2008-06-12 12:03 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 16:47 --------- d-----w C:\Documents and Settings\iamguest\Application Data\Orbit
2008-06-12 05:24 --------- d-----w C:\Documents and Settings\User\Application Data\Nokia
2008-06-12 04:56 --------- d-----w C:\Documents and Settings\User\Application Data\Orbit
2008-06-10 17:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 17:01 1,228 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-06-06 15:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 12:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-31 15:42 --------- d-----w C:\Program Files\Java
2008-05-28 16:22 --------- d-----w C:\Documents and Settings\User\Application Data\URSoft
2008-05-01 08:38 --------- d-----w C:\Documents and Settings\User\Application Data\Command & Conquer 3 Kane's Wrath
2008-04-27 05:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2007-06-02 14:10 127,568 ----a-w C:\Program Files\iSecurity.rar
2007-07-20 18:00 8 --sh--r C:\WINDOWS\system32\777F017622.sys
2007-07-20 18:00 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-12_ 8.59.04.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-12 00:56:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-14 17:53:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-14 12:40:51 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-04-17 13:13:02 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2001-07-14 09:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
+ 2005-11-28 06:18:46 86,016 ----a-w C:\WINDOWS\system32\AddiTunes.exe
+ 2005-11-04 19:16:38 109,568 ----a-w C:\WINDOWS\system32\best3gp.exe
+ 2005-11-04 19:49:30 120,320 ----a-w C:\WINDOWS\system32\bestchanger.exe
+ 2005-12-01 14:32:00 4,755,968 ----a-w C:\WINDOWS\system32\bestconverter.exe
+ 2006-12-18 16:45:50 398,798 ----a-w C:\WINDOWS\system32\bestpmp.exe
+ 2005-03-30 19:57:24 3,138,048 ----a-w C:\WINDOWS\system32\bestxbox.exe
+ 2005-07-03 13:30:54 1,295,582 ----a-w C:\WINDOWS\system32\cygwin1.dll
+ 2005-07-09 15:27:16 61,440 ----a-w C:\WINDOWS\system32\cygz.dll
+ 2008-06-14 12:40:51 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2005-04-21 09:33:58 1,810,432 ----a-w C:\WINDOWS\system32\NCTAudioCompress2.dll
+ 2005-06-01 04:16:22 778,240 ----a-w C:\WINDOWS\system32\NCTAudioCompress2.dll
- 2005-05-05 07:24:54 2,658,304 ----a-w C:\WINDOWS\system32\NCTAudioCompress3.dll
+ 2005-07-21 05:33:30 2,846,720 ----a-w C:\WINDOWS\system32\NCTAudioCompress3.dll
- 2005-04-06 05:56:36 90,112 ----a-w C:\WINDOWS\system32\NCTAudioFormatSettings3.dll
+ 2005-06-15 12:04:46 90,112 ----a-w C:\WINDOWS\system32\NCTAudioFormatSettings3.dll
- 2005-04-14 11:05:42 294,912 ----a-w C:\WINDOWS\system32\NCTAVIFile.dll
+ 2005-06-07 10:11:26 382,464 ----a-w C:\WINDOWS\system32\NCTAVIFile.dll
+ 2005-03-18 07:01:46 626,688 ----a-w C:\WINDOWS\system32\NCTImageFile.dll
- 2005-05-05 07:46:16 282,624 ----a-w C:\WINDOWS\system32\NCTQuickTimeFile.dll
+ 2005-07-19 09:53:48 249,856 ----a-w C:\WINDOWS\system32\NCTQuickTimeFile.dll
- 2005-05-04 03:58:22 1,245,184 ----a-w C:\WINDOWS\system32\NCTRMFile.dll
+ 2005-05-25 07:24:00 764,416 ----a-w C:\WINDOWS\system32\NCTRMFile.dll
+ 2005-07-08 10:31:48 495,104 ----a-w C:\WINDOWS\system32\NCTVideoCoreM.dll
- 2005-04-18 07:14:24 139,264 ----a-w C:\WINDOWS\system32\NCTVideoFile.dll
+ 2005-06-29 08:28:40 188,416 ----a-w C:\WINDOWS\system32\NCTVideoFile.dll
+ 2005-02-22 09:32:46 312,320 ----a-w C:\WINDOWS\system32\NCTVideoView.dll
+ 2004-04-05 16:04:30 548,919 ----a-w C:\WINDOWS\system32\RMBin\codecs\colorcvt.dll
+ 2004-04-05 16:05:10 65,602 ----a-w C:\WINDOWS\system32\RMBin\codecs\cook.dll
+ 2004-07-02 09:33:30 102,464 ----a-w C:\WINDOWS\system32\RMBin\codecs\drv1.dll
+ 2004-07-02 09:33:30 176,195 ----a-w C:\WINDOWS\system32\RMBin\codecs\drv2.dll
+ 2004-07-02 09:33:30 327,749 ----a-w C:\WINDOWS\system32\RMBin\codecs\drvc.dll
+ 2004-04-05 16:07:04 266,306 ----a-w C:\WINDOWS\system32\RMBin\codecs\erv3.dll
+ 2004-04-05 16:08:06 479,298 ----a-w C:\WINDOWS\system32\RMBin\codecs\erv4.dll
+ 2004-04-05 16:05:38 548,940 ----a-w C:\WINDOWS\system32\RMBin\codecs\raac.dll
+ 2004-04-05 16:05:34 155,702 ----a-w C:\WINDOWS\system32\RMBin\codecs\ralf.dll
+ 2004-04-05 16:05:20 102,465 ----a-w C:\WINDOWS\system32\RMBin\codecs\sipr.dll
+ 2002-12-06 06:02:58 49,152 ----a-w C:\WINDOWS\system32\RMBin\plugins\auth3260.dll
+ 2002-12-06 06:02:58 40,960 ----a-w C:\WINDOWS\system32\RMBin\plugins\basc3260.dll
+ 2004-04-05 16:06:28 262,204 ----a-w C:\WINDOWS\system32\RMBin\plugins\rmwrtr.dll
+ 2002-12-06 06:02:58 45,056 ----a-w C:\WINDOWS\system32\RMBin\plugins\rn5a3260.dll
+ 2002-12-06 06:02:58 61,440 ----a-w C:\WINDOWS\system32\RMBin\plugins\sdpp3260.dll
+ 2004-04-05 16:08:10 61,493 ----a-w C:\WINDOWS\system32\RMBin\plugins\smplfsys.dll
+ 2002-12-06 06:02:58 272,896 ----a-w C:\WINDOWS\system32\RMBin\pncrt.dll
+ 2004-04-05 16:01:02 53,341 ----a-w C:\WINDOWS\system32\RMBin\tools\audiofmtconverter.dll
+ 2004-04-05 16:01:08 49,235 ----a-w C:\WINDOWS\system32\RMBin\tools\audiolimiter.dll
+ 2004-04-05 16:04:14 65,634 ----a-w C:\WINDOWS\system32\RMBin\tools\audiolosslesscodec.dll
+ 2004-04-05 16:01:16 53,327 ----a-w C:\WINDOWS\system32\RMBin\tools\audiometer.dll
+ 2004-04-05 16:01:22 327,767 ----a-w C:\WINDOWS\system32\RMBin\tools\audioresampler.dll
+ 2004-04-05 15:59:18 856,132 ----a-w C:\WINDOWS\system32\RMBin\tools\encsession.dll
+ 2002-12-06 06:02:58 36,864 ----a-w C:\WINDOWS\system32\RMBin\tools\enlv3260.dll
+ 2004-04-05 16:01:28 53,325 ----a-w C:\WINDOWS\system32\RMBin\tools\eventpack.dll
+ 2004-04-05 15:59:38 53,321 ----a-w C:\WINDOWS\system32\RMBin\tools\mediasink.dll
+ 2004-04-05 16:01:42 57,443 ----a-w C:\WINDOWS\system32\RMBin\tools\mpeg4audiopacketizer.dll
+ 2004-02-24 02:19:38 548,864 ----a-w C:\WINDOWS\system32\RMBin\tools\rmme3260.dll
+ 2004-04-05 16:02:18 86,110 ----a-w C:\WINDOWS\system32\RMBin\tools\rmsessionformat.dll
+ 2004-02-24 02:19:38 356,352 ----a-w C:\WINDOWS\system32\RMBin\tools\rmto3260.dll
+ 2004-04-05 16:00:30 241,736 ----a-w C:\WINDOWS\system32\RMBin\tools\rmwriter.dll
+ 2004-04-05 16:03:42 69,718 ----a-w C:\WINDOWS\system32\RMBin\tools\rnaudiocodec.dll
+ 2004-04-05 16:03:48 77,920 ----a-w C:\WINDOWS\system32\RMBin\tools\rnaudiopacketizer.dll
+ 2004-04-05 16:04:00 106,582 ----a-w C:\WINDOWS\system32\RMBin\tools\rnvideocodec.dll
+ 2004-04-05 16:01:46 49,249 ----a-w C:\WINDOWS\system32\RMBin\tools\videocolorconverter.dll
+ 2004-04-05 16:01:54 45,139 ----a-w C:\WINDOWS\system32\RMBin\tools\videolumaadj.dll
+ 2006-02-17 14:02:56 139,264 ----a-w C:\WINDOWS\system32\viscomqtde.dll
+ 2006-01-16 19:59:06 147,456 ----a-w C:\WINDOWS\system32\viscomqtenc.dll
+ 2003-08-18 20:31:28 81,920 ----a-w C:\WINDOWS\system32\viscomwave.dll
+ 2008-06-12 03:36:26 451,072 ----a-w C:\WINDOWS\WinAVI Video Converter 9.0\uninstall.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFBEC6AF-1BE0-4D04-914C-41934C4AF581}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 11:12 139264]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"SUPERAntiSpyware"="D:\Program Files2\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12 2658304]
"QuickTime Task"="D:\Program Files2\QuickTime\qttask.exe" [2007-07-21 01:58 282624]
"SideWinderTrayV4"="d:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe" [2000-06-28 15:41 24649]
"BigDog302"="C:\WINDOWS\eagle2.exe" [2007-01-09 11:59 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"RivaTunerStartupDaemon"="D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" [2008-04-29 02:25 2707456]
"RivaTuner"="D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" [2008-04-29 02:25 2707456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Ad-Watch"="D:\Program Files2\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-06-02 22:31 4579328]
"bgsmsnd.exe"="C:\WINDOWS\system32\bgsmsnd.exe" [2007-07-10 14:00 160136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-09 01:12:44 113664]
MagicDisc.lnk - D:\Program Files2\MagicDisc\MagicDisc.exe [2007-11-04 23:06:53 557568]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2007-06-16 04:14:57 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files2\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files2\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files2\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-02-16 18:49 149024 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-02-16 18:57 1945960 D:\Program Files2\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2007-06-02 22:31 4579328 D:\Program Files2\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iSecurity applet]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-01 00:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-02-16 18:45 1169776 D:\Program Files2\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files2\\Orbitdownloader\\orbitdm.exe"=
"d:\\Program Files2\\Orbitdownloader\\orbitnet.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2005-12-15 18:13]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2005-12-15 18:01]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\system32\DRIVERS\SWUSBFLT.sys [2001-08-17 14:02]
S3 ZSMC302;PROLINK USB PC Camera (ZC0302);C:\WINDOWS\system32\Drivers\usbVM302.sys [2007-01-24 15:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2142c5aa-f88c-11dc-9b34-001731a7200d}]
\Shell\AutoRun\command - J:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 01:54:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\User\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal 512 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files2\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files2\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
D:\Program Files2\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2008-06-15 1:56:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-14 17:56:29
ComboFix2.txt 2008-06-12 00:59:54

Pre-Run: 1,307,254,784 bytes free
Post-Run: 1,382,830,080 bytes free

254

Thanks

Edited by user109s, 14 June 2008 - 01:05 PM.


#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 14 June 2008 - 02:27 PM

Hi

Just curious, what is the possiblity the malwares hide to the other drives but not c drive. Can they self activate from other drives?


Absolutely ...

The most common being malware running from flash drives via the autorun process ...

Malware can be run from over 50 places in the registry as well, if the registry key is pointing to the malware file, then that file will run, if it's on another plugged in external drive or a different partition/drive of an internal drive.

The Combofix log you just posted looks like a normal run of Combofix, it doesn't look like you dropped a CFScript into Combofix ... please re-read my last post & do exactly what it says, also post a new hijackthis log (after running Combofix with CFScript) ... then the Kaspersky Online Scan

steam

Edited by steamwiz, 14 June 2008 - 02:27 PM.

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 user109s

user109s
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 15 June 2008 - 12:15 PM

Hi steamwiz,

This the re-do scanned result..

ComboFix 08-06-10.5 - User 2008-06-16 0:52:19.3 - NTFSx86
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\iSecurity.rar
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\iSecurity.rar

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-15 15:41 . 2008-06-15 15:41 <DIR> d-------- C:\Documents and Settings\iamguest\Application Data\Malwarebytes
2008-06-14 20:40 . 2008-06-15 01:08 250 --a------ C:\WINDOWS\gmer.ini
2008-06-12 12:13 . 2008-06-12 12:13 <DIR> d-------- C:\Documents and Settings\User\Application Data\Thinstall
2008-06-12 11:36 . 2008-06-12 11:36 <DIR> d-------- C:\WINDOWS\WinAVI Video Converter 9.0
2008-06-12 08:31 . 2007-07-10 14:14 2,245,000 --a------ C:\WINDOWS\system32\bgsview.exe
2008-06-12 08:31 . 2007-02-03 12:00 516,832 --a------ C:\WINDOWS\system32\bgscapi.dll
2008-06-12 08:31 . 2007-07-10 14:00 455,048 --a------ C:\WINDOWS\system32\bgsofice.dll
2008-06-12 08:31 . 2007-07-10 14:01 270,728 --a------ C:\WINDOWS\system32\bgstb.dll
2008-06-12 08:31 . 2007-07-10 14:00 160,136 --a------ C:\WINDOWS\system32\bgsmsnd.exe
2008-06-12 08:31 . 2007-07-10 14:01 65,928 --a------ C:\WINDOWS\system32\bgsresfr.dll
2008-06-12 08:31 . 2007-07-10 14:01 65,928 --a------ C:\WINDOWS\system32\bgsreses.dll
2008-06-12 08:31 . 2007-07-10 14:01 65,928 --a------ C:\WINDOWS\system32\bgsresde.dll
2008-06-12 08:31 . 2007-07-10 14:00 57,736 --a------ C:\WINDOWS\system32\bgspmnt.dll
2008-06-12 08:31 . 2007-07-10 14:01 56,200 --a------ C:\WINDOWS\system32\bgsresen.dll
2008-06-11 01:19 . 2008-06-11 01:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-11 01:18 . 2008-06-11 01:18 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-06-07 14:10 . 2008-06-07 14:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-07 14:04 . 2008-06-07 14:10 <DIR> d-------- C:\SDFix
2008-06-07 14:03 . 2008-06-07 14:03 1,436,455 --a------ C:\SDFix.exe
2008-06-07 13:10 . 2008-06-07 13:10 <DIR> d-------- C:\Deckard
2008-06-06 23:32 . 2008-06-06 23:32 165,376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-06-06 23:32 . 2008-06-06 23:32 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-06-06 22:54 . 2008-06-06 22:54 <DIR> d-------- C:\Program Files\Atari
2008-06-05 16:51 . 2008-06-05 16:51 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-06-05 16:51 . 2008-06-05 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 16:51 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 16:51 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-31 23:52 . 2008-05-31 23:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-31 23:37 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-31 21:29 . 2007-06-01 23:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-29 00:25 . 2008-06-10 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-29 00:22 . 2008-06-15 15:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 07:48 --------- d-----w C:\Documents and Settings\iamguest\Application Data\Orbit
2008-06-15 07:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 05:24 --------- d-----w C:\Documents and Settings\User\Application Data\Nokia
2008-06-12 04:56 --------- d-----w C:\Documents and Settings\User\Application Data\Orbit
2008-06-10 17:01 1,228 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-06-06 15:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 12:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-31 15:42 --------- d-----w C:\Program Files\Java
2008-05-28 16:22 --------- d-----w C:\Documents and Settings\User\Application Data\URSoft
2008-05-01 08:38 --------- d-----w C:\Documents and Settings\User\Application Data\Command & Conquer 3 Kane's Wrath
2008-05-01 08:33 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-27 05:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2007-07-20 18:00 8 --sh--r C:\WINDOWS\system32\777F017622.sys
2007-07-20 18:00 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-06-15_ 1.55.48.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 17:53:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 17:05:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 11:12 139264]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"SUPERAntiSpyware"="D:\Program Files2\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12 2658304]
"QuickTime Task"="D:\Program Files2\QuickTime\qttask.exe" [2007-07-21 01:58 282624]
"SideWinderTrayV4"="d:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe" [2000-06-28 15:41 24649]
"BigDog302"="C:\WINDOWS\eagle2.exe" [2007-01-09 11:59 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"RivaTunerStartupDaemon"="D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" [2008-04-29 02:25 2707456]
"RivaTuner"="D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" [2008-04-29 02:25 2707456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Ad-Watch"="D:\Program Files2\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [ ]
"bgsmsnd.exe"="C:\WINDOWS\system32\bgsmsnd.exe" [2007-07-10 14:00 160136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-09 01:12:44 113664]
MagicDisc.lnk - D:\Program Files2\MagicDisc\MagicDisc.exe [2007-11-04 23:06:53 557568]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2007-06-16 04:14:57 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files2\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files2\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files2\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-02-16 18:49 149024 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-02-16 18:57 1945960 D:\Program Files2\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
D:\Program Files2\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-01 00:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-02-16 18:45 1169776 D:\Program Files2\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files2\\Orbitdownloader\\orbitdm.exe"=
"d:\\Program Files2\\Orbitdownloader\\orbitnet.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2005-12-15 18:13]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2005-12-15 18:01]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
S2 MBAMService;MBAMService;"D:\Program Files2\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-06-10 19:02]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\system32\DRIVERS\SWUSBFLT.sys [2001-08-17 14:02]
S3 ZSMC302;PROLINK USB PC Camera (ZC0302);C:\WINDOWS\system32\Drivers\usbVM302.sys [2007-01-24 15:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2142c5aa-f88c-11dc-9b34-001731a7200d}]
\Shell\AutoRun\command - J:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 01:06:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\msi.dll
-> ?:\WINDOWS\system32\msi.dll
-> ?:\WINDOWS\system32\msi.dll
-> ?:\WINDOWS\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files2\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files2\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2008-06-16 1:08:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 17:08:53
ComboFix2.txt 2008-06-14 17:56:37
ComboFix3.txt 2008-06-12 00:59:54

Pre-Run: 1,228,709,888 bytes free
Post-Run: 1,244,872,704 bytes free

193

Thanks

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 15 June 2008 - 03:17 PM

Hi

That's looking better :thumbsup:

Now please post a new hijackthis log ... then a new Kaspersky Online Scan report

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 user109s

user109s
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 17 June 2008 - 07:53 AM

Hi steamwiz,

This is the Hijackthis result.. I will post the Kaspersky Online Scan report.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:23 PM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files2\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
D:\Program Files2\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files2\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
D:\Program Files2\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
D:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\eagle2.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files2\RivaTuner v2.09\RivaTuner.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\bgsmsnd.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Program Files2\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files2\MagicDisc\MagicDisc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - d:\Program Files2\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\system32\bgstb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\system32\bgstb.dll
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files2\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SideWinderTrayV4] d:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [BigDog302] C:\WINDOWS\eagle2.EXE PROLINK USB PC Camera (ZC0302)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "D:\Program Files2\RivaTuner v2.09\RivaTuner.exe" /T
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] D:\Program Files2\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [bgsmsnd.exe] C:\WINDOWS\system32\bgsmsnd.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files2\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = D:\Program Files2\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &Download by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://d:\Program Files2\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://sgcam.dyndns.biz/activex/AMC.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files2\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - D:\Program Files2\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: MBAMService - Malwarebytes - D:\Program Files2\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - D:\Program Files2\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files2\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 11511 bytes


Thanks

#14 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 17 June 2008 - 03:06 PM

Hi

OK your hijackthis log is clean :thumbsup:


Just need to see the KASPERSKY On-line Scan again, and remember :-

This time when you see select a target to scan:

Select My Computer

NOT C:\WINDOWS

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#15 user109s

user109s
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 18 June 2008 - 10:15 AM

Hi steamwiz,

Scanned result..

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, June 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 17, 2008 14:23:40
Records in database: 876716
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\


Scan statistics:
Files scanned: 145426
Threat name: 19
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 03:01:56


File name / Threat name / Threats count
C:\Documents and Settings\iamguest\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\User\.housecall6.6\Quarantine\56aMg27psA.zip.bac_a02564 Infected: Trojan-Downloader.Win32.Small.ddp 1
C:\Documents and Settings\User\.housecall6.6\Quarantine\86NWQx6wDc.zip.bac_a02564 Infected: Trojan-Downloader.Win32.Small.ddp 1
C:\Documents and Settings\User\.housecall6.6\Quarantine\cmdinfo1.exe.bac_a02564 Infected: Trojan-Downloader.Win32.INService.bl 1
C:\Documents and Settings\User\.housecall6.6\Quarantine\Info.exe.bac_a02564 Infected: Trojan-Downloader.Win32.INService.bl 1
C:\Documents and Settings\User\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.36770 Infected: Trojan.Win32.Emgr.ad 1
C:\Documents and Settings\User\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.72335 Infected: Trojan.Win32.Emgr.ac 1
C:\QooBox\Quarantine\C\Program Files\iSecurity.rar.vir Infected: Trojan.Win32.Emgr.ac 1
C:\QooBox\Quarantine\C\Program Files\iSecurity.rar.vir Infected: not-a-virus:FraudTool.Win32.WinFixer.h 1
C:\WINDOWS\system32\autoshutdown.exe Infected: HackTool.Win32.PHPWind.f 1
D:\Downloads\360safeguardv3.63setup.exe Infected: Trojan-Dropper.Win32.Agent.tbd 1
D:\Store\Adware remover\SmitfraudFix.zip Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users