Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advancedxpfixer


  • This topic is locked This topic is locked
4 replies to this topic

#1 jimjim415

jimjim415

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 01 June 2008 - 04:31 PM

I got it few days ago. avast was showing trojans win32:agent-gps but could not delete them

I followed the steps from this forum and here are the logs

ComboFix 08-05-29.1 - Kotus 2008-06-01 21:16:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.908 [GMT 1:00]
Running from: C:\Documents and Settings\Kotus\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kotus\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kotus\Application Data\ShoppingReport
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Program Files\iMeshBar
C:\Program Files\iMeshBar\bar\History\search
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\g32.txt
C:\WINDOWS\hosts
C:\WINDOWS\s32.txt
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\nvrsma.dll
C:\WINDOWS\ws386.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR
-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 17:51 . 2008-06-01 17:51 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-06-01 17:46 . 2003-03-31 21:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-06-01 17:45 . 2003-03-31 21:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-06-01 17:44 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-06-01 17:44 . 2001-08-17 22:36 312,832 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqueue.dll
2008-06-01 17:44 . 2001-08-17 22:36 175,104 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpadm.dll
2008-06-01 17:44 . 2001-08-17 22:36 45,056 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqadmin.dll
2008-06-01 17:44 . 2003-03-31 21:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0804.dll
2008-06-01 17:44 . 2003-03-31 21:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0412.dll
2008-06-01 17:44 . 2003-03-31 21:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0411.dll
2008-06-01 17:44 . 2003-03-31 21:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0404.dll
2008-06-01 17:44 . 2001-08-17 22:36 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll
2008-06-01 17:35 . 2001-08-17 22:36 176,640 --a------ C:\WINDOWS\system32\LXMDSUI.DLL
2008-06-01 17:34 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-06-01 17:32 . 2003-03-31 21:00 1,174,016 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2008-06-01 17:31 . 2003-03-31 21:00 489,984 --a------ C:\WINDOWS\system32\hypertrm.dll
2008-06-01 17:31 . 2003-03-31 21:00 272,896 --a--c--- C:\WINDOWS\system32\dllcache\pinball.exe
2008-06-01 17:31 . 2003-03-31 21:00 179,200 --a--c--- C:\WINDOWS\system32\dllcache\accwiz.exe
2008-06-01 17:31 . 2003-03-31 21:00 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2008-06-01 17:31 . 2003-03-31 21:00 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe
2008-06-01 17:31 . 2003-03-31 21:00 124,416 --a--c--- C:\WINDOWS\system32\dllcache\sndrec32.exe
2008-06-01 17:31 . 2003-03-31 21:00 66,048 --a--c--- C:\WINDOWS\system32\dllcache\access.cpl
2008-06-01 17:31 . 2003-03-31 21:00 66,048 --a------ C:\WINDOWS\system32\access.cpl
2008-06-01 17:21 . 2002-08-29 01:27 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-06-01 17:21 . 2001-08-17 13:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-06-01 17:21 . 2002-08-29 01:32 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-06-01 17:20 . 2001-08-17 12:12 23,070 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-06-01 17:16 . 2002-08-29 03:46 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2008-06-01 17:15 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2008-06-01 17:09 . 2003-03-31 21:00 1,086,182 -ra------ C:\WINDOWS\SET59.tmp
2008-06-01 17:09 . 2003-03-31 21:00 13,608 -ra------ C:\WINDOWS\SET65.tmp
2008-06-01 16:45 . 2003-03-31 21:00 1,086,182 -ra------ C:\WINDOWS\SET58.tmp
2008-06-01 16:41 . 2008-06-01 16:41 0 --a------ C:\WINDOWS\SETF3.tmp
2008-06-01 15:22 . 2008-06-01 15:46 <DIR> d-------- C:\XPSP2
2008-06-01 15:21 . 2008-06-01 15:55 <DIR> d-------- C:\XPCD
2008-06-01 13:53 . 2008-06-01 13:57 <DIR> d-------- C:\HiJackThis
2008-06-01 12:32 . 2004-06-02 13:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-01 12:32 . 2004-06-02 13:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-06-01 12:32 . 2008-06-01 12:32 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-01 07:18 . 2008-06-01 07:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-01 07:17 . 2007-03-29 13:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-05-31 23:25 . 2008-06-01 07:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-31 19:36 . 2008-05-31 19:36 8,502,904 --a------ C:\Program Files\Windows-KB890830-V1.41.exe
2008-05-31 18:51 . 2008-05-12 16:31 622,632 --a------ C:\Program Files\autoruns.exe
2008-05-31 18:51 . 2008-05-09 13:56 520,232 --a------ C:\Program Files\autorunsc.exe
2008-05-31 18:49 . 2008-05-31 18:43 559,050 --a------ C:\Program Files\Autoruns.zip
2008-05-29 13:34 . 2008-06-01 15:51 101,376 --a------ C:\WINDOWS\index.exe
2008-05-29 13:33 . 2008-06-01 21:13 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-29 13:33 . 2008-06-01 21:13 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-29 13:33 . 2008-05-29 13:33 66,048 --a------ C:\WINDOWS\system32\ntpl.bin
2008-05-29 13:33 . 2008-05-29 13:33 63,488 --a------ C:\WINDOWS\system32\ho.ln
2008-05-29 13:33 . 2008-05-29 13:33 28,672 --a------ C:\WINDOWS\system32\ko.o
2008-05-29 13:32 . 2008-05-29 13:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-29 13:32 . 2008-05-29 13:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-26 19:36 . 2004-07-07 16:53 40,056 --a------ C:\WINDOWS\system32\drivers\stusb2ir.sys
2008-05-26 19:36 . 2004-07-07 16:53 40,056 --a------ C:\Program Files\stusb2ir.sys
2008-05-26 19:36 . 2004-07-07 16:53 33,792 --a------ C:\Program Files\regdll.dll
2008-05-26 19:36 . 2004-07-07 16:53 30,720 --a------ C:\Program Files\reinst.dll
2008-05-26 19:14 . 2008-05-26 19:30 <DIR> d-------- C:\Program Files\Polar
2008-05-26 19:14 . 2006-11-23 14:59 2,256,022 --a------ C:\Program Files\RS400.exe
2008-05-16 16:20 . 2008-05-16 16:20 <DIR> d-------- C:\Program Files\Freeserve
2008-05-16 16:20 . 2003-07-10 13:26 122,546 --a------ C:\WINDOWS\Uninstall.EXE
2008-05-16 16:20 . 2000-03-14 07:47 4,710 --a------ C:\WINDOWS\Help.ico
2008-05-16 16:20 . 2000-03-14 16:44 4,710 --a------ C:\WINDOWS\fs.ico
2008-05-16 16:20 . 2000-03-14 16:44 4,710 --a------ C:\WINDOWS\freeserve.ico
2008-05-05 19:25 . 2008-05-05 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2008-05-05 19:24 . 2008-05-05 19:24 <DIR> d-------- C:\Program Files\DFX
2008-05-05 19:24 . 2008-05-05 19:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 19:24 . 2008-05-05 19:24 3,946,840 --a------ C:\Program Files\dfxInstall-WMP.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 06:18 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-05-29 21:50 --------- d-----w C:\Documents and Settings\Kotus\Application Data\Skype
2008-05-29 19:36 --------- d-----w C:\Documents and Settings\Kotus\Application Data\skypePM
2008-05-26 18:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 08:20 48,476 ----a-w C:\Program Files\autoruns.chm
2008-04-26 09:44 --------- d-----w C:\Program Files\Google
2008-04-25 16:21 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-25 16:20 --------- d-----w C:\Program Files\HP
2008-04-25 15:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-25 15:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-25 15:48 --------- d-----w C:\Program Files\Western Digital
2008-04-25 15:38 --------- d-----w C:\Program Files\Western Digital Technologies
2008-04-19 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SRS Labs
2008-04-19 21:03 --------- d-----w C:\Program Files\SRS Labs
2008-04-19 21:02 4,153,320 ----a-w C:\Program Files\SRS_Audio_Sandbox.exe
2008-04-12 22:08 16,112 ----a-w C:\Program Files\untitled.rds
2008-04-12 22:08 1,822 ----a-w C:\Program Files\magicrds.ini
2008-04-12 22:01 75,944 ----a-w C:\Program Files\Aezay_Caption_Draw_v1-0.exe
2008-04-12 13:21 250,211 ----a-w C:\Program Files\Nowplaying2Web.exe
2008-04-12 13:07 63,979 ----a-w C:\Program Files\gen_lyrics03.exe
2008-04-07 18:16 --------- d-----w C:\Program Files\InterActual
2008-04-03 17:47 4,676,024 ----a-w C:\Program Files\TVUPlayer2.3.6beta1.exe
2008-03-28 09:58 38,656 ----a-w C:\Program Files\magicrds.htm
2008-03-28 09:49 1,199,104 ----a-w C:\Program Files\magicrds.exe
2008-02-16 20:51 11,697,912 ----a-w C:\Program Files\NapsterSetup-GB-3.8.1.4.exe
2008-02-16 19:52 71,430 ----a-w C:\Program Files\nbeep03.exe
2008-02-16 19:50 8,705,840 ----a-w C:\Program Files\winamp552_full_emusic-7plus_en-us1.exe
2008-01-31 22:50 18,995,592 ----a-w C:\Program Files\avastsetuppol.exe
2008-01-06 17:53 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-06 17:49 22,595,368 ----a-w C:\Program Files\SkypeSetup.exe
2008-01-02 21:54 14,818 ----a-w C:\Program Files\spanish.lng
2007-12-13 15:38 15,032,912 ----a-w C:\Program Files\DivXPro521XP2K.exe
2007-12-13 13:20 621,568 ----a-w C:\Program Files\CCCP-Insurgent-2007-01-01.exe
2007-12-13 11:18 2,030,080 ----a-w C:\Program Files\ffdshow-20041012.exe
2007-12-12 20:53 2,889,848 ----a-w C:\Program Files\TvantsSetup.EXE
2007-12-01 19:21 1,075,536 ----a-w C:\Program Files\RegCureSetup_1_5.exe
2007-11-20 16:18 2,294 ----a-w C:\Program Files\changeLog.txt
2007-11-20 16:15 3,351,778 ----a-w C:\Program Files\Setup-SopCast-2.0.4-2007-11-20.exe
2007-10-21 12:03 14,055 ----a-w C:\Program Files\czech.lng
2007-10-21 12:02 13,965 ----a-w C:\Program Files\english.lng
2007-05-11 22:10 1,493,863 ----a-w C:\Program Files\ALLPlayer(dobreprogramy.pl).exe
2007-05-11 21:12 4,203,005 ----a-w C:\Program Files\Opera_9.20_Classic_Setup.exe
2007-01-10 20:02 13,048 ----a-w C:\Program Files\romanian.lng
2007-01-06 20:27 13,559 ----a-w C:\Program Files\dutch.lng
2006-12-10 17:50 3,534,076 ----a-w C:\Program Files\eMule0.47c-Installer.exe
2006-12-10 16:50 1,598,342 ----a-w C:\Program Files\AresUltra.exe
2006-11-06 09:18 13,343 ----a-w C:\Program Files\serbian.lng
2006-07-28 07:32 7,005 ----a-w C:\Program Files\Eula.txt
2006-07-14 10:10 12,412 ----a-w C:\Program Files\albanian.lng
2005-11-24 21:58 3,404,472 ----a-w C:\Program Files\vskype.exe
2005-11-22 23:37 50,688 ----a-w C:\Program Files\vfwwdm32.dll
2005-11-06 14:28 12,776 ----a-w C:\Program Files\russian.lng
2005-10-29 16:12 5,301,545 ----a-w C:\Program Files\iMeshV5.exe
2005-10-28 23:06 598,984 ----a-w C:\Program Files\kazaa_setup.exe
2005-09-03 13:51 12,175 ----a-w C:\Program Files\turkish.lng
2004-08-09 14:23 39 ----a-w C:\Program Files\Setup.Ini
2004-08-09 14:23 252,928 ----a-w C:\Program Files\ExSpinDn.msi
2004-08-09 14:15 2,518 ----a-w C:\Program Files\Readme.txt
2004-05-23 00:32 8,192 ----a-w C:\Program Files\tsbyuv.dll
2004-04-27 07:58 2 ----a-w C:\Program Files\stusb2ir.cat
2004-01-29 01:50 4,096 ----a-w C:\Program Files\ksuser.dll
2003-10-19 18:15 182,272 ----a-w C:\Program Files\DSClean.exe
2002-01-05 03:46 65,536 ----a-w C:\Program Files\Setup.Exe
2001-09-25 11:05 1,707,856 ----a-w C:\Program Files\InstMsiA.Exe
2001-09-11 14:04 1,821,008 ----a-w C:\Program Files\InstMsiW.Exe
.

------- Sigcheck -------

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Cleaner"="C:\Program Files\Spyware Cleaner\SpywareCleaner.exe" [ ]
"RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 21:00 13312]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 19:49 307200]
"ExpensiveNotFreeMFC"="C:\Program Files\RegistryCleaner\registrycleaner.exe" [ ]
"Polar Sync"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-06-02 12:50 32881]
"nwiz"="nwiz.exe" [2004-04-07 12:22 323584 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-07 12:22 4730880]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 16:46 172032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-06-02 13:12 98304]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-01-16 12:16 229376]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 09:21 245760]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2007-04-19 14:56 20480]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 09:01 88363 C:\WINDOWS\AGRSMMSG.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 14:05 200766]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2007-04-23 10:48 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2007-04-25 11:32 831488]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-17 12:25 185896]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-08 04:40 159744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 21:00 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 07:15:54 65588]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AVFQmenakUw"= {0DB88FF9-A712-2553-0F6C-0C4250724ACE} - C:\WINDOWS\system32\fqsh.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-05-16 00:20]
R2 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-03-10 06:44]
R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\System32\DRIVERS\bwcdrv.sys [2003-12-21 09:21]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\System32\DRIVERS\aswFsBlk.sys [2008-05-16 00:16]
S2 BulkUsb;Plustek USB Scanner;C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 01:48]
S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2003-12-04 05:29]
S3 ldiskl;ldiskl;C:\DOCUME~1\Kotus\LOCALS~1\Temp\ldiskl.sys []
S3 STUSB2Ir;SigmaTel USB 2.0 IrDA Bridge;C:\WINDOWS\System32\DRIVERS\stusb2ir.sys [2004-07-07 16:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{092eac76-af40-11dc-a09a-000fb00ffd75}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 02:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-06-01 20:33:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 21:24:56
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????)??p?????????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\BWCSRV.EXE
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
.
**************************************************************************
.
Completion time: 2008-06-01 21:36:27 - machine was rebooted [Kotus]
ComboFix-quarantined-files.txt 2008-06-01 20:36:16

Pre-Run: 5,304,004,608 bytes free
Post-Run: 6,017,708,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

287 --- E O F --- 2008-05-27 19:02:34


combofix log

ComboFix 08-05-29.1 - Kotus 2008-06-01 21:16:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.908 [GMT 1:00]
Running from: C:\Documents and Settings\Kotus\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kotus\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kotus\Application Data\ShoppingReport
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Kotus\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Program Files\iMeshBar
C:\Program Files\iMeshBar\bar\History\search
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\g32.txt
C:\WINDOWS\hosts
C:\WINDOWS\s32.txt
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\nvrsma.dll
C:\WINDOWS\ws386.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR
-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 17:51 . 2008-06-01 17:51 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-06-01 17:46 . 2003-03-31 21:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-06-01 17:45 . 2003-03-31 21:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-06-01 17:44 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-06-01 17:44 . 2001-08-17 22:36 312,832 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqueue.dll
2008-06-01 17:44 . 2001-08-17 22:36 175,104 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpadm.dll
2008-06-01 17:44 . 2001-08-17 22:36 45,056 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqadmin.dll
2008-06-01 17:44 . 2003-03-31 21:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0804.dll
2008-06-01 17:44 . 2003-03-31 21:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0412.dll
2008-06-01 17:44 . 2003-03-31 21:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0411.dll
2008-06-01 17:44 . 2003-03-31 21:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0404.dll
2008-06-01 17:44 . 2001-08-17 22:36 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll
2008-06-01 17:35 . 2001-08-17 22:36 176,640 --a------ C:\WINDOWS\system32\LXMDSUI.DLL
2008-06-01 17:34 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-06-01 17:32 . 2003-03-31 21:00 1,174,016 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2008-06-01 17:31 . 2003-03-31 21:00 489,984 --a------ C:\WINDOWS\system32\hypertrm.dll
2008-06-01 17:31 . 2003-03-31 21:00 272,896 --a--c--- C:\WINDOWS\system32\dllcache\pinball.exe
2008-06-01 17:31 . 2003-03-31 21:00 179,200 --a--c--- C:\WINDOWS\system32\dllcache\accwiz.exe
2008-06-01 17:31 . 2003-03-31 21:00 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2008-06-01 17:31 . 2003-03-31 21:00 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe
2008-06-01 17:31 . 2003-03-31 21:00 124,416 --a--c--- C:\WINDOWS\system32\dllcache\sndrec32.exe
2008-06-01 17:31 . 2003-03-31 21:00 66,048 --a--c--- C:\WINDOWS\system32\dllcache\access.cpl
2008-06-01 17:31 . 2003-03-31 21:00 66,048 --a------ C:\WINDOWS\system32\access.cpl
2008-06-01 17:21 . 2002-08-29 01:27 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-06-01 17:21 . 2001-08-17 13:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-06-01 17:21 . 2002-08-29 01:32 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-06-01 17:20 . 2001-08-17 12:12 23,070 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-06-01 17:16 . 2002-08-29 03:46 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2008-06-01 17:15 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2008-06-01 17:09 . 2003-03-31 21:00 1,086,182 -ra------ C:\WINDOWS\SET59.tmp
2008-06-01 17:09 . 2003-03-31 21:00 13,608 -ra------ C:\WINDOWS\SET65.tmp
2008-06-01 16:45 . 2003-03-31 21:00 1,086,182 -ra------ C:\WINDOWS\SET58.tmp
2008-06-01 16:41 . 2008-06-01 16:41 0 --a------ C:\WINDOWS\SETF3.tmp
2008-06-01 15:22 . 2008-06-01 15:46 <DIR> d-------- C:\XPSP2
2008-06-01 15:21 . 2008-06-01 15:55 <DIR> d-------- C:\XPCD
2008-06-01 13:53 . 2008-06-01 13:57 <DIR> d-------- C:\HiJackThis
2008-06-01 12:32 . 2004-06-02 13:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-01 12:32 . 2004-06-02 13:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-06-01 12:32 . 2008-06-01 12:32 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-01 07:18 . 2008-06-01 07:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-01 07:17 . 2007-03-29 13:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-05-31 23:25 . 2008-06-01 07:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-31 19:36 . 2008-05-31 19:36 8,502,904 --a------ C:\Program Files\Windows-KB890830-V1.41.exe
2008-05-31 18:51 . 2008-05-12 16:31 622,632 --a------ C:\Program Files\autoruns.exe
2008-05-31 18:51 . 2008-05-09 13:56 520,232 --a------ C:\Program Files\autorunsc.exe
2008-05-31 18:49 . 2008-05-31 18:43 559,050 --a------ C:\Program Files\Autoruns.zip
2008-05-29 13:34 . 2008-06-01 15:51 101,376 --a------ C:\WINDOWS\index.exe
2008-05-29 13:33 . 2008-06-01 21:13 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-29 13:33 . 2008-06-01 21:13 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-29 13:33 . 2008-05-29 13:33 66,048 --a------ C:\WINDOWS\system32\ntpl.bin
2008-05-29 13:33 . 2008-05-29 13:33 63,488 --a------ C:\WINDOWS\system32\ho.ln
2008-05-29 13:33 . 2008-05-29 13:33 28,672 --a------ C:\WINDOWS\system32\ko.o
2008-05-29 13:32 . 2008-05-29 13:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-29 13:32 . 2008-05-29 13:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-26 19:36 . 2004-07-07 16:53 40,056 --a------ C:\WINDOWS\system32\drivers\stusb2ir.sys
2008-05-26 19:36 . 2004-07-07 16:53 40,056 --a------ C:\Program Files\stusb2ir.sys
2008-05-26 19:36 . 2004-07-07 16:53 33,792 --a------ C:\Program Files\regdll.dll
2008-05-26 19:36 . 2004-07-07 16:53 30,720 --a------ C:\Program Files\reinst.dll
2008-05-26 19:14 . 2008-05-26 19:30 <DIR> d-------- C:\Program Files\Polar
2008-05-26 19:14 . 2006-11-23 14:59 2,256,022 --a------ C:\Program Files\RS400.exe
2008-05-16 16:20 . 2008-05-16 16:20 <DIR> d-------- C:\Program Files\Freeserve
2008-05-16 16:20 . 2003-07-10 13:26 122,546 --a------ C:\WINDOWS\Uninstall.EXE
2008-05-16 16:20 . 2000-03-14 07:47 4,710 --a------ C:\WINDOWS\Help.ico
2008-05-16 16:20 . 2000-03-14 16:44 4,710 --a------ C:\WINDOWS\fs.ico
2008-05-16 16:20 . 2000-03-14 16:44 4,710 --a------ C:\WINDOWS\freeserve.ico
2008-05-05 19:25 . 2008-05-05 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2008-05-05 19:24 . 2008-05-05 19:24 <DIR> d-------- C:\Program Files\DFX
2008-05-05 19:24 . 2008-05-05 19:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 19:24 . 2008-05-05 19:24 3,946,840 --a------ C:\Program Files\dfxInstall-WMP.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 06:18 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-05-29 21:50 --------- d-----w C:\Documents and Settings\Kotus\Application Data\Skype
2008-05-29 19:36 --------- d-----w C:\Documents and Settings\Kotus\Application Data\skypePM
2008-05-26 18:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 08:20 48,476 ----a-w C:\Program Files\autoruns.chm
2008-04-26 09:44 --------- d-----w C:\Program Files\Google
2008-04-25 16:21 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-25 16:20 --------- d-----w C:\Program Files\HP
2008-04-25 15:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-25 15:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-25 15:48 --------- d-----w C:\Program Files\Western Digital
2008-04-25 15:38 --------- d-----w C:\Program Files\Western Digital Technologies
2008-04-19 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SRS Labs
2008-04-19 21:03 --------- d-----w C:\Program Files\SRS Labs
2008-04-19 21:02 4,153,320 ----a-w C:\Program Files\SRS_Audio_Sandbox.exe
2008-04-12 22:08 16,112 ----a-w C:\Program Files\untitled.rds
2008-04-12 22:08 1,822 ----a-w C:\Program Files\magicrds.ini
2008-04-12 22:01 75,944 ----a-w C:\Program Files\Aezay_Caption_Draw_v1-0.exe
2008-04-12 13:21 250,211 ----a-w C:\Program Files\Nowplaying2Web.exe
2008-04-12 13:07 63,979 ----a-w C:\Program Files\gen_lyrics03.exe
2008-04-07 18:16 --------- d-----w C:\Program Files\InterActual
2008-04-03 17:47 4,676,024 ----a-w C:\Program Files\TVUPlayer2.3.6beta1.exe
2008-03-28 09:58 38,656 ----a-w C:\Program Files\magicrds.htm
2008-03-28 09:49 1,199,104 ----a-w C:\Program Files\magicrds.exe
2008-02-16 20:51 11,697,912 ----a-w C:\Program Files\NapsterSetup-GB-3.8.1.4.exe
2008-02-16 19:52 71,430 ----a-w C:\Program Files\nbeep03.exe
2008-02-16 19:50 8,705,840 ----a-w C:\Program Files\winamp552_full_emusic-7plus_en-us1.exe
2008-01-31 22:50 18,995,592 ----a-w C:\Program Files\avastsetuppol.exe
2008-01-06 17:53 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-06 17:49 22,595,368 ----a-w C:\Program Files\SkypeSetup.exe
2008-01-02 21:54 14,818 ----a-w C:\Program Files\spanish.lng
2007-12-13 15:38 15,032,912 ----a-w C:\Program Files\DivXPro521XP2K.exe
2007-12-13 13:20 621,568 ----a-w C:\Program Files\CCCP-Insurgent-2007-01-01.exe
2007-12-13 11:18 2,030,080 ----a-w C:\Program Files\ffdshow-20041012.exe
2007-12-12 20:53 2,889,848 ----a-w C:\Program Files\TvantsSetup.EXE
2007-12-01 19:21 1,075,536 ----a-w C:\Program Files\RegCureSetup_1_5.exe
2007-11-20 16:18 2,294 ----a-w C:\Program Files\changeLog.txt
2007-11-20 16:15 3,351,778 ----a-w C:\Program Files\Setup-SopCast-2.0.4-2007-11-20.exe
2007-10-21 12:03 14,055 ----a-w C:\Program Files\czech.lng
2007-10-21 12:02 13,965 ----a-w C:\Program Files\english.lng
2007-05-11 22:10 1,493,863 ----a-w C:\Program Files\ALLPlayer(dobreprogramy.pl).exe
2007-05-11 21:12 4,203,005 ----a-w C:\Program Files\Opera_9.20_Classic_Setup.exe
2007-01-10 20:02 13,048 ----a-w C:\Program Files\romanian.lng
2007-01-06 20:27 13,559 ----a-w C:\Program Files\dutch.lng
2006-12-10 17:50 3,534,076 ----a-w C:\Program Files\eMule0.47c-Installer.exe
2006-12-10 16:50 1,598,342 ----a-w C:\Program Files\AresUltra.exe
2006-11-06 09:18 13,343 ----a-w C:\Program Files\serbian.lng
2006-07-28 07:32 7,005 ----a-w C:\Program Files\Eula.txt
2006-07-14 10:10 12,412 ----a-w C:\Program Files\albanian.lng
2005-11-24 21:58 3,404,472 ----a-w C:\Program Files\vskype.exe
2005-11-22 23:37 50,688 ----a-w C:\Program Files\vfwwdm32.dll
2005-11-06 14:28 12,776 ----a-w C:\Program Files\russian.lng
2005-10-29 16:12 5,301,545 ----a-w C:\Program Files\iMeshV5.exe
2005-10-28 23:06 598,984 ----a-w C:\Program Files\kazaa_setup.exe
2005-09-03 13:51 12,175 ----a-w C:\Program Files\turkish.lng
2004-08-09 14:23 39 ----a-w C:\Program Files\Setup.Ini
2004-08-09 14:23 252,928 ----a-w C:\Program Files\ExSpinDn.msi
2004-08-09 14:15 2,518 ----a-w C:\Program Files\Readme.txt
2004-05-23 00:32 8,192 ----a-w C:\Program Files\tsbyuv.dll
2004-04-27 07:58 2 ----a-w C:\Program Files\stusb2ir.cat
2004-01-29 01:50 4,096 ----a-w C:\Program Files\ksuser.dll
2003-10-19 18:15 182,272 ----a-w C:\Program Files\DSClean.exe
2002-01-05 03:46 65,536 ----a-w C:\Program Files\Setup.Exe
2001-09-25 11:05 1,707,856 ----a-w C:\Program Files\InstMsiA.Exe
2001-09-11 14:04 1,821,008 ----a-w C:\Program Files\InstMsiW.Exe
.

------- Sigcheck -------

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Cleaner"="C:\Program Files\Spyware Cleaner\SpywareCleaner.exe" [ ]
"RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 21:00 13312]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 19:49 307200]
"ExpensiveNotFreeMFC"="C:\Program Files\RegistryCleaner\registrycleaner.exe" [ ]
"Polar Sync"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-06-02 12:50 32881]
"nwiz"="nwiz.exe" [2004-04-07 12:22 323584 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-07 12:22 4730880]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 16:46 172032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-06-02 13:12 98304]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-01-16 12:16 229376]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 09:21 245760]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2007-04-19 14:56 20480]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 09:01 88363 C:\WINDOWS\AGRSMMSG.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 14:05 200766]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2007-04-23 10:48 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2007-04-25 11:32 831488]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-17 12:25 185896]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-08 04:40 159744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 21:00 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 07:15:54 65588]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AVFQmenakUw"= {0DB88FF9-A712-2553-0F6C-0C4250724ACE} - C:\WINDOWS\system32\fqsh.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-05-16 00:20]
R2 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-03-10 06:44]
R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\System32\DRIVERS\bwcdrv.sys [2003-12-21 09:21]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\System32\DRIVERS\aswFsBlk.sys [2008-05-16 00:16]
S2 BulkUsb;Plustek USB Scanner;C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 01:48]
S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2003-12-04 05:29]
S3 ldiskl;ldiskl;C:\DOCUME~1\Kotus\LOCALS~1\Temp\ldiskl.sys []
S3 STUSB2Ir;SigmaTel USB 2.0 IrDA Bridge;C:\WINDOWS\System32\DRIVERS\stusb2ir.sys [2004-07-07 16:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{092eac76-af40-11dc-a09a-000fb00ffd75}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 02:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-06-01 20:33:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 21:24:56
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????)??p?????????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\BWCSRV.EXE
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
.
**************************************************************************
.
Completion time: 2008-06-01 21:36:27 - machine was rebooted [Kotus]
ComboFix-quarantined-files.txt 2008-06-01 20:36:16

Pre-Run: 5,304,004,608 bytes free
Post-Run: 6,017,708,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

287 --- E O F --- 2008-05-27 19:02:34


please help...

BC AdBot (Login to Remove)

 


m

#2 jimjim415

jimjim415
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 02 June 2008 - 02:12 PM

I run few programes and then scaned with Kaspersky but it is still infected. Can anybody look at this report.

Many thanks in advance.

Michal

Kaspersky report:

KASPERSKY ONLINE SCANNER REPORT
Monday, June 02, 2008 8:10:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/06/2008
Kaspersky Anti-Virus database records: 821972


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 78305
Number of viruses found 4
Number of infected objects 16
Number of suspicious objects 0
Duration of the scan process 01:51:49

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Kotus\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Kotus\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Kotus\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Kotus\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Kotus\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Kotus\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Kotus\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\found.000\file0000.chk Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\Program Files\AresUltra.exe/Stream/data0002 Infected: not-a-virus:FraudTool.Win32.EtdScanner.a skipped

C:\Program Files\AresUltra.exe/Stream Infected: not-a-virus:FraudTool.Win32.EtdScanner.a skipped

C:\Program Files\AresUltra.exe Inno: infected - 2 skipped

C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Anytime\SignupLt.exe/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped

C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Anytime\SignupLt.exe CAB: infected - 1 skipped

C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Reinstall\SignupLt.exe/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped

C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Reinstall\SignupLt.exe CAB: infected - 1 skipped

C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Standard\SignupLt.exe/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped

C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Standard\SignupLt.exe CAB: infected - 1 skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmona.exe.vir Infected: Packed.Win32.Tibs.iu skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP10\change.log Object is locked skipped

C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP2\A0000012.exe Infected: Packed.Win32.Tibs.iu skipped

C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP2\A0000216.exe Infected: Trojan-Spy.Win32.Agent.cnw skipped

C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\nwlnkipx.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\index.exe Infected: Packed.Win32.Tibs.iu skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{6A9B264E-0E59-4734-B8DF-C8BAEF393029}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\sam Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\security Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\ho.ln Infected: Trojan-Spy.Win32.Agent.cnw skipped

C:\WINDOWS\system32\ko.o Infected: Trojan-Spy.Win32.Agent.cnw skipped

C:\WINDOWS\system32\ntpl.bin Infected: Trojan-Spy.Win32.Agent.cnw skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_514.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#3 jimjim415

jimjim415
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 05 June 2008 - 04:12 AM

Topic title was: Trojan Downloderkeeps Comming Back ~ OB

Hi

I posted a hijackthis log a week ago but had no answer. I tried to clean my laptop on my own using your website tips. I recently installed AVG and it cannot remove last few infected files. Can you help?
Thank you in advance.

Michal

these are the files:

C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP11\A0005970.exe

C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP11\A0005990.exe Object is locked skipped
C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP11\A0005997.exe Object is locked skipped
C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP15\change.log Object is locked skipped
C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP2\A0000012.exe Object is locked skipped
C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP2\A0000216.exe


I also run the hijackthis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:09, on 05/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Drivers\bwcsrv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131136719093
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://83.16.141.243/activex/AxisCamControl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\system32\Drivers\bwcsrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7414 bytes

Edited by Orange Blossom, 05 June 2008 - 05:35 PM.
Merged topics. ~ OB


#4 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 29 June 2008 - 02:33 AM

Hello jimjim415,

I apologise for the delay. The forum is too busy.

If you still need help post a new HijackThis log, and describe any symptoms you have.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#5 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 04 July 2008 - 02:45 PM

Due to the lack of feedback, this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users