Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning Spyware Detected On Your Computer


  • Please log in to reply
11 replies to this topic

#1 neo147

neo147

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 29 June 2008 - 07:44 PM

Hi,

I hope someone can help me with this major prob

Couple nights ago shutdown PC everything fine then then next morning booted up and the desktop background has changed to:

''Warning Spyware detected on your computer! Install antivirus or spyware remover to clean computer''

now it seems like somebody went on the Internet while I was asleep and got the PC hijacked and its all messed up now (I'm hunting down who's responsible as I type)

Now I've never had this before but straightaway there are some suspicious things going

1) Desktop background changed (and cannot change back to previous)
2) a program called ''Antivirus XP'' is installed
3) PC keeps rebooting over and over again with the the odd flash of blue screen of death

I've already run my most up-to-date Spybot, Ad-aware, & AVG all of which detected a load of stuff

With the scanning done and all the trojans etc. deleted (or at least I think they are) the problem still exists

After following the prep guide here is my copy of the generated DSS report along with the Kaspersky log too

Cheers.


Deckard's System Scanner v20071014.68
Run by S. Rahman on 2008-06-30 01:41:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
6: 2008-06-29 18:05:07 UTC - RP7 - Deckard's System Scanner Restore Point
5: 2008-06-29 18:03:44 UTC - RP6 - Installed Java™ 6 Update 6
4: 2008-06-29 17:57:57 UTC - RP5 - Removed J2SE Runtime Environment 5.0 Update 12
3: 2008-06-29 13:24:11 UTC - RP4 - Deckard's System Scanner Restore Point
2: 2008-06-29 00:42:14 UTC - RP3 - Last good restore point


-- First Restore Point --
1: 2008-06-29 00:41:53 UTC - RP2 - System Checkpoint


System Drive C: has 2.78 GiB (less than 15%) free.


-- HijackThis (run as S. Rahman.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:42:08, on 30/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\IconLock\ICONLOCK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\S. Rahman\desktop\dss.exe
C:\PROGRA~1\HIJACK~1\S. Rahman.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IconHlprObj Class - {03183603-F684-11d2-A17F-00A0C90AE44B} - C:\PROGRA~1\IconLock\LockHlpr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IconLock] "C:\Program Files\IconLock\ICONLOCK.EXE"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphctp8j0eg2l] C:\WINDOWS\system32\lphctp8j0eg2l.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.amaena.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201211255828
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O20 - Winlogon Notify: winjgf32 - winjgf32.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Online Services - Unknown owner - C:\Documents and Settings\S. Rahman\ie_updates3r.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7783 bytes

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 Pru58 - c:\windows\system32\drivers\pru58.sys (file missing)
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes; CDRTools>
R3 PxHelper - c:\windows\system32\drivers\pxhelper.sys <Not Verified; VERITAS Software, Inc.; PxHelp20>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
S3 sysrest.sys - c:\windows\system32\sysrest.sys
S3 tbntnd5 (USB Cable Modem NDIS driver) - c:\windows\system32\drivers\tbntnd5.sys <Not Verified; MCCI; USB Cable Modem>
S3 tbntunic (USB Cable Modem WDM driver) - c:\windows\system32\drivers\tbntunic.sys <Not Verified; MCCI; USB Cable Modem>
S3 U81xbus (LGE U8XXX driver (WDM)) - c:\windows\system32\drivers\u81xbus.sys <Not Verified; MCCI; LG Electronics U8110>
S3 U81xmdfl (LGE U8XXX USB WMC Modem Filter) - c:\windows\system32\drivers\u81xmdfl.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem Filter Driver>
S3 U81xmdm (LGE U8XXX USB WMC Modem Driver) - c:\windows\system32\drivers\u81xmdm.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem>
S3 U81xmgmt (LGE U8XXX USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\u81xmgmt.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Device Management>
S3 U81xobex (LGE U8XXX USB WMC OBEX Interface) - c:\windows\system32\drivers\u81xobex.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC OBEX Interface>
S3 WUSB54GPV4SRV (Wireless-G Portable USB Adapter Driver) - c:\windows\system32\drivers\rt2500usb.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless USB Adapters>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 TVersityMediaServer - c:\program files\tversity\media server\mediaserver.exe

S2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" (file missing)
S2 Google Online Services - c:\documents and settings\s. rahman\ie_updates3r.exe -a (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon>
S4 Active HelpAssistants - c:\windows\iis\iissets (file missing)
S4 SBCSSvc (Sunbelt CounterSpy Antispyware) - "c:\program files\sunbelt software\counterspy\sbcssvc.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&0&98
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&0&98
Service: rtl8139

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Plug and Play BIOS Extension
Device ID: ROOT\SYSTEM\0003
Manufacturer: (Standard system devices)
Name: Plug and Play BIOS Extension
PNP Device ID: ROOT\SYSTEM\0003
Service: a347bus

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: PnP BIOS Extension
Device ID: ROOT\SYSTEM\0004
Manufacturer: (Standard system devices)
Name: PnP BIOS Extension
PNP Device ID: ROOT\SYSTEM\0004
Service: d347bus


-- Scheduled Tasks -------------------------------------------------------------

2008-06-30 01:00:02 350 --a------ C:\WINDOWS\Tasks\At74.job
2008-06-30 01:00:01 350 --a------ C:\WINDOWS\Tasks\At50.job
2008-06-30 01:00:01 350 --a------ C:\WINDOWS\Tasks\At26.job
2008-06-30 00:00:00 350 --a------ C:\WINDOWS\Tasks\At73.job
2008-06-30 00:00:00 350 --a------ C:\WINDOWS\Tasks\At49.job
2008-06-29 23:00:00 350 --a------ C:\WINDOWS\Tasks\At96.job
2008-06-29 23:00:00 350 --a------ C:\WINDOWS\Tasks\At72.job
2008-06-29 23:00:00 350 --a------ C:\WINDOWS\Tasks\At48.job
2008-06-29 22:00:00 350 --a------ C:\WINDOWS\Tasks\At95.job
2008-06-29 22:00:00 350 --a------ C:\WINDOWS\Tasks\At71.job
2008-06-29 22:00:00 350 --a------ C:\WINDOWS\Tasks\At47.job
2008-06-29 21:00:00 350 --a------ C:\WINDOWS\Tasks\At94.job
2008-06-29 21:00:00 350 --a------ C:\WINDOWS\Tasks\At70.job
2008-06-29 21:00:00 350 --a------ C:\WINDOWS\Tasks\At46.job
2008-06-29 20:00:00 350 --a------ C:\WINDOWS\Tasks\At93.job
2008-06-29 20:00:00 350 --a------ C:\WINDOWS\Tasks\At69.job
2008-06-29 20:00:00 350 --a------ C:\WINDOWS\Tasks\At45.job
2008-06-29 18:00:00 350 --a------ C:\WINDOWS\Tasks\At91.job
2008-06-29 18:00:00 350 --a------ C:\WINDOWS\Tasks\At67.job
2008-06-29 18:00:00 350 --a------ C:\WINDOWS\Tasks\At43.job
2008-06-29 17:00:00 350 --a------ C:\WINDOWS\Tasks\At90.job
2008-06-29 17:00:00 350 --a------ C:\WINDOWS\Tasks\At66.job
2008-06-29 17:00:00 350 --a------ C:\WINDOWS\Tasks\At42.job
2008-06-29 16:00:00 350 --a------ C:\WINDOWS\Tasks\At89.job
2008-06-29 16:00:00 350 --a------ C:\WINDOWS\Tasks\At65.job
2008-06-29 16:00:00 350 --a------ C:\WINDOWS\Tasks\At41.job
2008-06-29 15:00:00 350 --a------ C:\WINDOWS\Tasks\At88.job
2008-06-29 15:00:00 350 --a------ C:\WINDOWS\Tasks\At64.job
2008-06-29 15:00:00 350 --a------ C:\WINDOWS\Tasks\At40.job
2008-06-29 14:00:00 350 --a------ C:\WINDOWS\Tasks\At87.job
2008-06-29 14:00:00 350 --a------ C:\WINDOWS\Tasks\At63.job
2008-06-29 14:00:00 350 --a------ C:\WINDOWS\Tasks\At39.job
2008-06-29 13:00:00 350 --a------ C:\WINDOWS\Tasks\At86.job
2008-06-29 13:00:00 350 --a------ C:\WINDOWS\Tasks\At62.job
2008-06-29 13:00:00 350 --a------ C:\WINDOWS\Tasks\At38.job
2008-06-29 02:00:00 350 --a------ C:\WINDOWS\Tasks\At75.job
2008-06-29 02:00:00 350 --a------ C:\WINDOWS\Tasks\At51.job
2008-06-29 02:00:00 350 --a------ C:\WINDOWS\Tasks\At27.job
2008-06-26 19:00:00 350 --a------ C:\WINDOWS\Tasks\At92.job
2008-06-26 19:00:00 350 --a------ C:\WINDOWS\Tasks\At68.job
2008-06-26 19:00:00 350 --a------ C:\WINDOWS\Tasks\At44.job
2008-06-26 12:00:00 350 --a------ C:\WINDOWS\Tasks\At85.job
2008-06-26 12:00:00 350 --a------ C:\WINDOWS\Tasks\At61.job
2008-06-26 12:00:00 350 --a------ C:\WINDOWS\Tasks\At37.job
2008-06-26 11:00:00 350 --a------ C:\WINDOWS\Tasks\At84.job
2008-06-26 11:00:00 350 --a------ C:\WINDOWS\Tasks\At60.job
2008-06-26 11:00:00 350 --a------ C:\WINDOWS\Tasks\At36.job
2008-06-26 10:00:00 350 --a------ C:\WINDOWS\Tasks\At83.job
2008-06-26 10:00:00 350 --a------ C:\WINDOWS\Tasks\At59.job
2008-06-26 10:00:00 350 --a------ C:\WINDOWS\Tasks\At35.job
2008-06-26 09:00:00 350 --a------ C:\WINDOWS\Tasks\At82.job
2008-06-26 09:00:00 350 --a------ C:\WINDOWS\Tasks\At58.job
2008-06-26 09:00:00 350 --a------ C:\WINDOWS\Tasks\At34.job
2008-06-26 08:00:00 350 --a------ C:\WINDOWS\Tasks\At81.job
2008-06-26 08:00:00 350 --a------ C:\WINDOWS\Tasks\At57.job
2008-06-26 08:00:00 350 --a------ C:\WINDOWS\Tasks\At33.job
2008-06-26 07:00:00 350 --a------ C:\WINDOWS\Tasks\At80.job
2008-06-26 07:00:00 350 --a------ C:\WINDOWS\Tasks\At56.job
2008-06-26 07:00:00 350 --a------ C:\WINDOWS\Tasks\At32.job
2008-06-26 06:00:00 350 --a------ C:\WINDOWS\Tasks\At79.job
2008-06-26 06:00:00 350 --a------ C:\WINDOWS\Tasks\At55.job
2008-06-26 06:00:00 350 --a------ C:\WINDOWS\Tasks\At31.job
2008-06-26 05:00:00 350 --a------ C:\WINDOWS\Tasks\At78.job
2008-06-26 05:00:00 350 --a------ C:\WINDOWS\Tasks\At54.job
2008-06-26 05:00:00 350 --a------ C:\WINDOWS\Tasks\At30.job
2008-06-26 04:00:00 350 --a------ C:\WINDOWS\Tasks\At77.job
2008-06-26 04:00:00 350 --a------ C:\WINDOWS\Tasks\At53.job
2008-06-26 04:00:00 350 --a------ C:\WINDOWS\Tasks\At29.job
2008-06-26 03:00:00 350 --a------ C:\WINDOWS\Tasks\At76.job
2008-06-26 03:00:00 350 --a------ C:\WINDOWS\Tasks\At52.job
2008-06-26 03:00:00 350 --a------ C:\WINDOWS\Tasks\At28.job
2008-06-24 14:11:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-29 23:44:46 0 d-------- C:\fsaua.data
2008-06-29 23:02:20 0 dr-h----- C:\Documents and Settings\S. Rahman\Recent
2008-06-29 19:03:46 0 d-------- C:\Program Files\Common Files\Java
2008-06-29 19:02:29 15328 --a------ C:\WINDOWS\system32\sysrest.sys
2008-06-28 15:17:04 0 d-------- C:\Program Files\microsoft frontpage
2008-06-28 13:12:11 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-28 13:06:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-06-28 13:05:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\rhcpp8j0eg2l
2008-06-27 11:18:39 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\rhcpp8j0eg2l
2008-06-27 01:39:27 17920 --a------ C:\WINDOWS\system32\nloz760.exe
2008-06-27 01:37:24 60928 --a------ C:\WINDOWS\system32\blphctp8j0eg2l.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-06-27 01:37:15 109056 --a------ C:\WINDOWS\system32\lphctp8j0eg2l.exe
2008-06-09 23:41:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft


-- Find3M Report ---------------------------------------------------------------

2008-06-29 19:04:17 0 d-------- C:\Program Files\Java
2008-06-29 19:03:46 0 d-------- C:\Program Files\Common Files
2008-06-28 15:17:35 0 d-------- C:\Program Files\Kontiki
2008-06-26 08:16:02 0 d-------- C:\Program Files\eMule
2008-06-24 13:36:24 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\Adobe
2008-06-22 23:17:06 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\uTorrent
2008-06-09 23:42:23 0 d-------- C:\Program Files\Lavasoft
2008-06-09 23:42:21 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\Lavasoft
2008-06-09 23:41:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-08 15:09:14 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\AVG7
2008-06-08 15:08:10 0 d-------- C:\Program Files\Bonjour
2008-05-22 23:00:28 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-19 19:11:47 0 d-------- C:\Program Files\TVersity Codec Pack
2008-05-17 01:30:07 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\Xfire
2008-05-16 21:16:24 0 d---s---- C:\Program Files\Xfire
2008-05-13 22:50:26 0 d-------- C:\Program Files\AC3Filter
2008-05-13 01:24:15 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-11 14:47:17 0 d-------- C:\Documents and Settings\S. Rahman\Application Data\SopCast


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [10/02/2003 08:59 C:\WINDOWS\SOUNDMAN.EXE]
"IconLock"="C:\Program Files\IconLock\ICONLOCK.EXE" [29/08/1999 09:01]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [15/04/2008 09:56]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15/10/2004 20:40]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2005 00:34]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [25/10/2006 19:58]
"lphctp8j0eg2l"="C:\WINDOWS\system32\lphctp8j0eg2l.exe" [27/06/2008 01:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [28/06/2007 15:09]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [28/02/2007 23:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjgf32]
winjgf32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pru58.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
"rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50a2a32e-4889-11da-a518-806d6172696f}]
AutoRun\command- G:\launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655278ae-49fa-11da-a8c1-806d6172696f}]
AutoRun\command- G:\launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5136ef0-ee80-11d9-a8e5-806d6172696f}]
AutoRun\command- G:\launcher.exe

*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER



-- End of Deckard's System Scanner: finished at 2008-06-30 01:42:29 ------------

======================================================================================================


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 3000+
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 511.48 MiB / 199.63 MiB
Pagefile Memory (total/avail): 1249.03 MiB / 725.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.3 MiB

C: is Fixed (NTFS) - 24.41 GiB total, 2.78 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 124.63 GiB total, 0.2 GiB free.
F: is CDROM (No Media)
G: is Fixed (NTFS) - 465.76 GiB total, 0.36 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD1600BB-00GUA0 - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 24.41 GiB - C:
\PARTITION1 - Installable File System - 124.63 GiB - E:

\\.\PHYSICALDRIVE1 - ST350083 0A USB Device - 465.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 465.76 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)
AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:utorrent"
"C:\\Documents and Settings\\Guest\\My Documents\\My Music\\realplay.exe"="C:\\Documents and Settings\\Guest\\My Documents\\My Music\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Disabled:Football Manager 2008"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Documents and Settings\\S. Rahman\\Local Settings\\Temp\\.ttB.tmp"="C:\\Documents and Settings\\S. Rahman\\Local Settings\\Temp\\.ttB.tmp:*:Enabled:enable"
"C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\S. Rahman\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
COLLECTIONID=COL8143
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=S-987DB4BA93644
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HMSERVER=https://wwss1pro.cce.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\S. Rahman
ITEMID=dj-22741-15
LANG=2057
LOGONSERVER=\\S-987DB4BA93644
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
OSVER=winXPP
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Satsuki Decoder Pack\filtres
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONID=1113240886681htx69410c69:1033c96b3c4:-1741
SESSIONNAME=Console
SWUTVER=1.0.1.1
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\S7462~1.RAH\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\S7462~1.RAH\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm
UPDATEDIR=C:\DOCUME~1\S7462~1.RAH\LOCALS~1\Temp\radB93D7.tmp
USERDOMAIN=S-987DB4BA93644
USERNAME=S. Rahman
USERPROFILE=C:\Documents and Settings\S. Rahman
VERSION=3.0.5.001
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

S. Rahman (admin)
Administrator (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3 --> C:\Program Files\Common Files\Adobe\Installers\435a6af7459cb02a9c1138113a26e93\Setup.exe
Adobe Dreamweaver CS3 --> MsiExec.exe /I{F01D5ED5-D53A-4468-B428-149DC2CB3110}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Extension Manager CS3 --> MsiExec.exe /I{D7A53E41-3F32-4A44-989C-53DDEBB2130C}
Adobe Fireworks CS3 --> C:\Program Files\Common Files\Adobe\Installers\bbef028176efa5abf0233d3e1747be8\Setup.exe
Adobe Fireworks CS3 --> MsiExec.exe /I{E16110F7-1C85-4675-99F4-7938F832C825}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Setup --> MsiExec.exe /I{15C768E2-AB61-4DE3-952F-6B237A834951}
Adobe Setup --> MsiExec.exe /I{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1}
Adobe Setup --> MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVI/MPEG/ASF/WMV Splitter 3.25 --> "C:\Program Files\AVI MPEG ASF WMV Splitter\unins000.exe"
BBC iPlayer Download Manager --> MsiExec.exe /I {D466F3D9-510C-4729-B7D4-2E70490E4CDF}
BitComet 0.85 --> C:\Program Files\BitComet\uninst.exe
BlueSoleil --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}\setup.exe" -l0x9
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDXA Image Reader Filter (SVCD/XCD) (remove only) --> "C:\Program Files\CDXA Image Reader Filter (SVCDXCD)\uninstall.exe"
CloneDVD --> "C:\Program Files\Elaborate Bytes\CloneDVD\CloneDVD-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD"
Direct Show Ogg Vorbis Filter (remove only) --> "C:\WINDOWS\system32\OggDSuninst.exe"
DirectShow subtitle filter colleciton (remove only) --> "C:\WINDOWS\system32\SubtitDSuninst.exe"
DirectVobSub (remove only) --> "C:\Program Files\DirectVobSub\uninstall.exe"
EasyStudio Image Editor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{946822A3-F5D6-43B6-8335-9113A03773DC}\setup.exe" -l0x9
EAX4 Unified Redist --> MsiExec.exe /X{89661B04-C646-4412-B6D3-5E19F02F1F37}
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
ffdshow [rev 1324] [2007-07-01] --> "C:\Program Files\Satsuki Decoder Pack\filtres\unins000.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
hp deskjet 5100 --> msiexec /x{FEDA56C4-82F3-46DD-8B50-FC592BBE1C0D}
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
IconLock --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IconLock\DeIsL1.isu" -c"C:\Program Files\IconLock\LOCKDLL.dll"
iPod for Windows 2006-01-10 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
IsoBuster 1.4 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
LogMeIn --> MsiExec.exe /I{3FEC3A5B-60FF-4626-B425-08E09B121A15}
Microsoft AutoRoute 2005 --> MsiExec.exe /I{67E4EE98-59F4-4220-89A6-A20AF5BEC689}
Microsoft Encarta Reference Library 2005 --> MsiExec.exe /I{05410141-64A6-4248-A026-9745C1E9E159}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSf22.inf, Uninstall
Mozilla Firefox (1.0.1) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.0.1 (en-GB)"
MP3Producer --> C:\WINDOWS\MP3Producer Uninstaller.exe
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PIMS & File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F340FE0-E93E-4A53-B5E4-19ED2648FCAE}\Setup.exe" -l0x9
PL-2303 USB-to-Serial --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{50974B3A-B8D5-4C7B-9D23-ED0EC9517B45}\Setup.exe" -l0x9
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Registry Mechanic --> "C:\Program Files\Registry Mechanic\unins000.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SopCast 1.1.1 --> C:\Program Files\SopCast\uninst.exe
SpeechRedist --> MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SubSync --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\SubSync\ST6UNST.LOG"
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
TVersity Codec Pack 1.1 --> C:\Program Files\TVersity Codec Pack\uninst.exe
TVersity Media Server 0.9.11.4 beta --> C:\Program Files\TVersity\Media Server\uninst.exe
VideoLAN VLC media player 0.8.6a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WinAce Archiver --> C:\Program Files\WinAce\SXUNINST.EXE C:\Program Files\WinAce\SXUNINST.INI
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
WinPcap 3.1 beta3 --> "C:\Program Files\WinPcap\Uninstall.exe" "C:\Program Files\WinPcap\install.log"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WINXP SP2 TCP Fix --> C:\PROGRA~1\WINXPS~1\UNWISE.EXE C:\PROGRA~1\WINXPS~1\INSTALL.LOG
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
Zoom Player (remove only) --> "C:\Program Files\Zoom Player\uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1803 / Error
Event Submitted/Written: 06/28/2008 00:31:07 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application nloz734.exe, version 0.0.0.0, faulting module nloz734.exe, version 0.0.0.0, fault address 0x000010b3.
Processing media-specific event for [nloz734.exe!ws!]

Event Record #/Type1790 / Error
Event Submitted/Written: 06/27/2008 11:42:34 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type1785 / Error
Event Submitted/Written: 06/27/2008 11:17:39 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application nloz723.exe, version 0.0.0.0, faulting module nloz723.exe, version 0.0.0.0, fault address 0x000010b3.
Processing media-specific event for [nloz723.exe!ws!]

Event Record #/Type1781 / Error
Event Submitted/Written: 06/27/2008 01:44:33 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application nloz749.exe, version 0.0.0.0, faulting module nloz749.exe, version 0.0.0.0, fault address 0x00001777.
Processing media-specific event for [nloz749.exe!ws!]

Event Record #/Type1774 / Error
Event Submitted/Written: 06/27/2008 00:44:10 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2604, fault address 0x0013b4ef.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type61305 / Error
Event Submitted/Written: 06/30/2008 01:00:02 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At74.job command failed to start due to the following error:
%%2147942402

Event Record #/Type61304 / Error
Event Submitted/Written: 06/30/2008 01:00:01 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At50.job command failed to start due to the following error:
%%2147942405

Event Record #/Type61303 / Error
Event Submitted/Written: 06/30/2008 01:00:01 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At26.job command failed to start due to the following error:
%%2147942405

Event Record #/Type61302 / Error
Event Submitted/Written: 06/30/2008 00:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At73.job command failed to start due to the following error:
%%2147942402

Event Record #/Type61301 / Error
Event Submitted/Written: 06/30/2008 00:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At49.job command failed to start due to the following error:
%%2147942405



-- End of Deckard's System Scanner: finished at 2008-06-30 01:42:29 ------------

======================================================================================================


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 29, 2008 12:41:46
Records in database: 896951
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\S. Rahman\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 69852
Threat name: 12
Infected objects: 30
Suspicious objects: 0
Duration of the scan: 01:09:45


File name / Threat name / Threats count
C:\WINDOWS\system32\LMIinit.dll/C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.d 1
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan.Win32.Agent.ady 1
C:\WINDOWS\system32\sysrest32.exe/C:\WINDOWS\system32\sysrest32.exe Infected: Trojan.Win32.Pakes.czg 1
C:\Program Files\LogMeIn\x86\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.d 1
C:\WINDOWS\system32\k11944629414.exe Infected: Trojan-PSW.Win32.OnLineGames.sle 1
C:\WINDOWS\system32\k11944629425.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1
C:\WINDOWS\system32\k11944633234.exe Infected: Trojan-PSW.Win32.OnLineGames.sle 1
C:\WINDOWS\system32\k11944635101.exe Infected: Trojan-PSW.Win32.OnLineGames.thh 1
C:\WINDOWS\system32\k11944635144.exe Infected: Trojan-PSW.Win32.OnLineGames.sle 1
C:\WINDOWS\system32\k11944637076.exe Infected: Trojan-PSW.Win32.OnLineGames.hcq 1
C:\WINDOWS\system32\k119446531110.exe Infected: Trojan-PSW.Win32.OnLineGames.hck 1
C:\WINDOWS\system32\k11944727436.exe Infected: Trojan-PSW.Win32.OnLineGames.hcq 1
C:\WINDOWS\system32\k11944763066.exe Infected: Trojan-PSW.Win32.OnLineGames.hcq 1
C:\WINDOWS\system32\k11944766975.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1
C:\WINDOWS\system32\k11944768895.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1
C:\WINDOWS\system32\k11944770805.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1
C:\WINDOWS\system32\k11944772725.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1
C:\WINDOWS\system32\k11944774635.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1
C:\WINDOWS\system32\k11944776555.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1
C:\WINDOWS\system32\k11944778475.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1
C:\WINDOWS\system32\k11944786265.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1
C:\WINDOWS\system32\k11944792054.exe Infected: Trojan-PSW.Win32.OnLineGames.sle 1
C:\WINDOWS\system32\k11944792065.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1
C:\WINDOWS\system32\k11944797885.exe Infected: Trojan-PSW.Win32.OnLineGames.hcj 1
C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.d 1
C:\WINDOWS\system32\nloz534.exe Infected: Trojan-Downloader.Win32.Cntr.by 1
C:\WINDOWS\system32\nloz749.exe Infected: Trojan-Downloader.Win32.Agent.ufv 1
C:\WINDOWS\system32\pphctp8j0eg2l.exe Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\sysrest32.exe Infected: Trojan.Win32.Pakes.czg 1
C:\WINDOWS\xhelper.dll Infected: not-a-virus:AdWare.Win32.Agent.db 1

The selected area was scanned.

======================================================================================================

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:37 AM

Posted 30 June 2008 - 02:20 AM

Hi,

Thanks for the logs. That went quite well. :thumbsup:

You have quite the mess.
Including email spam bots, password stealers and a bunch of other downloaders and so on.
If you do anything sensitive on the PC (like banking, online shopping and such) ya'll need to have your passwords changed from a clean machine.
This goes for all users of this machine.
Best to contact your financial institutions if you do online banking or use credit cards so they can keep an eye on your accounts.
Online game sites as well. (many of these password stealers are targeted at stealing accounts from games like WoW)

Reason you cannot fix your background is the malware set restrictions to disable showing those settings. That too will be fixed shortly.
Reason your security software keeps detecting more and more stuff is because you have several trojans downloading it all & re-installing it.

Anyway -- let's get on with the fixing.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


--Do not mouseclick combofix's window while it's running. That may cause it to stall

--ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
--Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell me.
--Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.

Let me know how machine is running please.

Thanks :)
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 neo147

neo147
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 30 June 2008 - 09:03 AM

Hi Blender

Here are the folloing Combo and HJT logs


ComboFix 08-06-20.4 - S. Rahman 2008-06-30 14:41:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.159 [GMT 1:00]
Running from: C:\Documents and Settings\S. Rahman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\S. Rahman\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\llk1194475308.h
C:\WINDOWS\system32\llk1194483321.h
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\sysrest.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACTIVE_HELPASSISTANTS
-------\Legacy_GOOGLE_ONLINE_SERVICES
-------\Service_Active HelpAssistants
-------\Service_Google Online Services
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-29 23:44 . 2008-06-29 23:44 <DIR> d-------- C:\fsaua.data
2008-06-29 22:23 . 2008-06-29 22:23 <DIR> d---s---- C:\WINDOWS\system32\config\systemprofile\UserData
2008-06-29 19:04 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-29 19:03 . 2008-06-29 19:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-29 14:23 . 2008-06-29 14:23 <DIR> d-------- C:\Deckard
2008-06-28 15:17 . 2008-06-28 15:17 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-28 13:06 . 2008-06-28 13:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-06-28 13:05 . 2008-06-28 13:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\rhcpp8j0eg2l
2008-06-27 11:42 . 2008-06-27 11:44 48,810 --a------ C:\WINDOWS\mssecurity.config
2008-06-27 11:18 . 2008-06-27 11:18 <DIR> d-------- C:\Documents and Settings\S. Rahman\Application Data\rhcpp8j0eg2l
2008-06-27 01:39 . 2008-06-27 01:39 17,920 --a------ C:\WINDOWS\system32\nloz760.exe
2008-06-27 01:37 . 2008-06-27 01:37 109,056 --a------ C:\WINDOWS\system32\lphctp8j0eg2l.exe
2008-06-27 01:37 . 2008-06-30 14:47 90,838 --a------ C:\WINDOWS\system32\phctp8j0eg2l.bmp
2008-06-27 01:37 . 2008-06-30 14:47 60,928 --a------ C:\WINDOWS\system32\blphctp8j0eg2l.scr
2008-06-27 01:37 . 2008-06-28 12:20 453 --a------ C:\WINDOWS\system32\xghbnx.tmp
2008-06-09 23:41 . 2008-06-09 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-03 17:56 . 2008-06-08 02:02 714 --a------ C:\WINDOWS\system\akstart.lnk
2008-05-22 01:39 . 2008-06-08 15:08 <DIR> d-------- C:\Program Files\Bonjour
2008-05-19 19:11 . 2007-04-24 17:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-05-19 19:00 . 2008-05-19 19:11 <DIR> d-------- C:\Program Files\TVersity Codec Pack
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-13 22:50 . 2008-05-13 22:50 <DIR> d-------- C:\Program Files\AC3Filter
2008-05-13 22:50 . 2004-05-25 16:06 417,792 --a------ C:\WINDOWS\system32\ac3filter.cpl
2008-05-11 18:08 . 2008-05-11 19:41 67 --a------ C:\WINDOWS\AVIConverter.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 13:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-29 18:04 --------- d-----w C:\Program Files\Java
2008-06-28 15:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-06-28 14:17 --------- d-----w C:\Program Files\Kontiki
2008-06-28 12:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-26 07:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-06-26 07:16 --------- d-----w C:\Program Files\eMule
2008-06-22 22:17 --------- d-----w C:\Documents and Settings\S. Rahman\Application Data\uTorrent
2008-06-09 22:42 --------- d-----w C:\Program Files\Lavasoft
2008-06-09 22:42 --------- d-----w C:\Documents and Settings\S. Rahman\Application Data\Lavasoft
2008-06-09 22:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-08 21:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-08 14:09 --------- d-----w C:\Documents and Settings\S. Rahman\Application Data\AVG7
2008-06-06 14:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-05-22 22:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-17 00:30 --------- d-----w C:\Documents and Settings\S. Rahman\Application Data\Xfire
2008-05-16 20:16 --------- d-s---w C:\Program Files\Xfire
2008-05-13 00:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-11 13:47 --------- d-----w C:\Documents and Settings\S. Rahman\Application Data\SopCast
2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-03-31 00:46 3,416 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP
2006-03-07 01:35 1,027 ----a-w C:\Documents and Settings\All Users\Application Data\wc.dat
2007-05-24 15:24 8 --sh--r C:\WINDOWS\system32\2E9B37FAE7.dll
.

------- Sigcheck -------

2004-08-08 11:14 359040 7b11118b078b88f87183fe69eda43137 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-08 11:14 359040 7b11118b078b88f87183fe69eda43137 C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-08 11:14 359040 7b11118b078b88f87183fe69eda43137 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 15:09 68856]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-02-10 08:59 47104 C:\WINDOWS\SOUNDMAN.EXE]
"IconLock"="C:\Program Files\IconLock\ICONLOCK.EXE" [1999-08-29 09:01 28672]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 09:56 579584]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 20:40 2577632]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-05-12 00:34 6729728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"lphctp8j0eg2l"="C:\WINDOWS\system32\lphctp8j0eg2l.exe" [2008-06-27 01:37 109056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 13:01 219136]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 15:09 68856]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pru58.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2007-04-17 14:03 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-05-12 00:34 6729728 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-05-12 00:34 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-15 00:50 233472 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Documents and Settings\\Guest\\My Documents\\My Music\\realplay.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20632:TCP"= 20632:TCP:BitComet 20632 TCP
"20632:UDP"= 20632:UDP:BitComet 20632 UDP

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-03-28 19:55]
R3 PxHelper;PxHelper;C:\WINDOWS\system32\drivers\PxHelper.sys [2001-09-11 23:23]
S0 Pru58;Pru58;C:\WINDOWS\system32\Drivers\Pru58.sys []
S3 tbntnd5;USB Cable Modem NDIS driver;C:\WINDOWS\system32\DRIVERS\tbntnd5.sys [2001-10-16 07:40]
S3 tbntunic;USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\tbntunic.sys [2001-10-16 03:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50a2a32e-4889-11da-a518-806d6172696f}]
\Shell\AutoRun\command - G:\launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655278ae-49fa-11da-a8c1-806d6172696f}]
\Shell\AutoRun\command - G:\launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5136ef0-ee80-11d9-a8e5-806d6172696f}]
\Shell\AutoRun\command - G:\launcher.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 13:11:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-30 00:00:01 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 01:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-26 02:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-26 03:00:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-26 04:00:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-26 05:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-26 06:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-26 07:00:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-26 08:00:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-26 09:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-26 10:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-26 11:00:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 12:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 13:00:00 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 14:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 15:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 16:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 17:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-26 18:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 19:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 20:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 21:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 22:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\HXee5eNp.exe
"2008-06-29 23:00:00 C:\WINDOWS\Tasks\At49.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-30 00:00:01 C:\WINDOWS\Tasks\At50.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 01:00:00 C:\WINDOWS\Tasks\At51.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-26 02:00:00 C:\WINDOWS\Tasks\At52.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe

"2008-06-26 03:00:00 C:\WINDOWS\Tasks\At53.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-26 04:00:00 C:\WINDOWS\Tasks\At54.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-26 05:00:00 C:\WINDOWS\Tasks\At55.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-26 06:00:00 C:\WINDOWS\Tasks\At56.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-26 07:00:00 C:\WINDOWS\Tasks\At57.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-26 08:00:00 C:\WINDOWS\Tasks\At58.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-26 09:00:00 C:\WINDOWS\Tasks\At59.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-26 10:00:00 C:\WINDOWS\Tasks\At60.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-26 11:00:00 C:\WINDOWS\Tasks\At61.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 12:00:00 C:\WINDOWS\Tasks\At62.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 13:00:00 C:\WINDOWS\Tasks\At63.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 14:00:00 C:\WINDOWS\Tasks\At64.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 15:00:00 C:\WINDOWS\Tasks\At65.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 16:00:00 C:\WINDOWS\Tasks\At66.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 17:00:00 C:\WINDOWS\Tasks\At67.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-26 18:00:00 C:\WINDOWS\Tasks\At68.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 19:00:00 C:\WINDOWS\Tasks\At69.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 20:00:00 C:\WINDOWS\Tasks\At70.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 21:00:00 C:\WINDOWS\Tasks\At71.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 22:00:00 C:\WINDOWS\Tasks\At72.job"
- C:\WINDOWS\system32\Fcyb2DUV.exe
"2008-06-29 23:00:00 C:\WINDOWS\Tasks\At73.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-30 00:00:02 C:\WINDOWS\Tasks\At74.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-29 01:00:00 C:\WINDOWS\Tasks\At75.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-26 02:00:00 C:\WINDOWS\Tasks\At76.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-26 03:00:00 C:\WINDOWS\Tasks\At77.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-26 04:00:00 C:\WINDOWS\Tasks\At78.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-26 05:00:00 C:\WINDOWS\Tasks\At79.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-26 06:00:00 C:\WINDOWS\Tasks\At80.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-26 07:00:00 C:\WINDOWS\Tasks\At81.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-26 08:00:00 C:\WINDOWS\Tasks\At82.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-26 09:00:00 C:\WINDOWS\Tasks\At83.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-26 10:00:00 C:\WINDOWS\Tasks\At84.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-26 11:00:00 C:\WINDOWS\Tasks\At85.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-29 12:00:00 C:\WINDOWS\Tasks\At86.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-29 13:00:00 C:\WINDOWS\Tasks\At87.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-29 14:00:00 C:\WINDOWS\Tasks\At88.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-29 15:00:00 C:\WINDOWS\Tasks\At89.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-29 16:00:00 C:\WINDOWS\Tasks\At90.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-29 17:00:00 C:\WINDOWS\Tasks\At91.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-26 18:00:00 C:\WINDOWS\Tasks\At92.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-29 19:00:00 C:\WINDOWS\Tasks\At93.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-29 20:00:00 C:\WINDOWS\Tasks\At94.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-29 21:00:00 C:\WINDOWS\Tasks\At95.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
"2008-06-29 22:00:00 C:\WINDOWS\Tasks\At96.job"
- C:\WINDOWS\system32\U4vFTnj3.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 14:47:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\wscript.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-06-30 14:56:50 - machine was rebooted [S. Rahman]
ComboFix-quarantined-files.txt 2008-06-30 13:56:25

Pre-Run: 2,910,068,736 bytes free
Post-Run: 3,036,172,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

355

======================================================================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:04:45, on 30/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\IconLock\ICONLOCK.EXE
C:\WINDOWS\system32\lphctp8j0eg2l.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IconHlprObj Class - {03183603-F684-11d2-A17F-00A0C90AE44B} - C:\PROGRA~1\IconLock\LockHlpr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IconLock] "C:\Program Files\IconLock\ICONLOCK.EXE"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphctp8j0eg2l] C:\WINDOWS\system32\lphctp8j0eg2l.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.amaena.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201211255828
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7743 bytes

======================================================================================================

#4 neo147

neo147
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 30 June 2008 - 09:12 AM

Sorry for the double post, there seemed top be a temporary outage causing me to doble post.

Edited by KoanYorel, 07 July 2008 - 12:32 PM.
Doubled post deleted


#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:37 AM

Posted 01 July 2008 - 12:45 AM

Hi,

Sorry for delay.
No problem on the double posting. :thumbsup:

The following script is for this machine only! Please do not use this on other machines or it may cause problems!

Open notepad and copy/paste the text in the code box below into it:

driver::
Pru58

File::
C:\WINDOWS\mssecurity.config
C:\WINDOWS\system32\nloz760.exe
C:\WINDOWS\system32\lphctp8j0eg2l.exe
C:\WINDOWS\system32\phctp8j0eg2l.bmp
C:\WINDOWS\system32\blphctp8j0eg2l.scr
C:\WINDOWS\system32\xghbnx.tmp
C:\WINDOWS\system\akstart.lnk
C:\WINDOWS\system32\2E9B37FAE7.dll
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At73.job
C:\WINDOWS\Tasks\At74.job
C:\WINDOWS\Tasks\At75.job
C:\WINDOWS\Tasks\At76.job
C:\WINDOWS\Tasks\At77.job
C:\WINDOWS\Tasks\At78.job
C:\WINDOWS\Tasks\At79.job
C:\WINDOWS\Tasks\At80.job
C:\WINDOWS\Tasks\At81.job
C:\WINDOWS\Tasks\At82.job
C:\WINDOWS\Tasks\At83.job
C:\WINDOWS\Tasks\At84.job
C:\WINDOWS\Tasks\At85.job
C:\WINDOWS\Tasks\At86.job
C:\WINDOWS\Tasks\At87.job
C:\WINDOWS\Tasks\At88.job
C:\WINDOWS\Tasks\At89.job
C:\WINDOWS\Tasks\At90.job
C:\WINDOWS\Tasks\At91.job
C:\WINDOWS\Tasks\At92.job
C:\WINDOWS\Tasks\At93.job
C:\WINDOWS\Tasks\At94.job
C:\WINDOWS\Tasks\At95.job
C:\WINDOWS\Tasks\At96.job
C:\WINDOWS\Tasks\At97.job
C:\WINDOWS\Tasks\At98.job
C:\WINDOWS\Tasks\At99.job
C:\WINDOWS\Tasks\At100.job

filelook::
C:\windows\system32\userinit.exe

dirlook::
C:\Documents and Settings\S. Rahman\Desktop


registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphctp8j0eg2l"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
"NoDispScrSavPage"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pru58.sys]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

Save this as CFScript.txt to your desktop.

Disable antispyware/antivirus then disconnect from internet.

Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Combofix will most likely reboot your computer to complete fix. Allow it to please.

Post the new ComboFix.txt please along with new Hijackthis log.
If Combofix log is long -- please attach it rather than copy/paste it.
Don't forget to re-enable protection software.

Let me know how system is running.

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
c:\windows\system32\userinit.exe
Click Send.
Please post the results of this scan to this thread.
Please include the file size/MD5 information if available.

If it shows as infected please DO NOT delete it. It is a critical system file and you cannot boot without it.
If we need to we'll replace it.

Thanks :)
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 neo147

neo147
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 01 July 2008 - 12:07 PM

Hi Blender

Well the system is looking much better now, after the latest combofix scan the background is normal again with the option to change wallpapers, the blue screen of death screensaver seems to be gone and computer now boots up much quicker with no suspicious processes starting up too.

Here are the 3 new logs, combofix (attached), HJT, and the VirusTotal log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:53:00, on 01/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\IconLock\ICONLOCK.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IconHlprObj Class - {03183603-F684-11d2-A17F-00A0C90AE44B} - C:\PROGRA~1\IconLock\LockHlpr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IconLock] "C:\Program Files\IconLock\ICONLOCK.EXE"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.amaena.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201211255828
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7705 bytes

=====================================================================================================


File size: 24576 bytes
MD5: 39b1ffb03c2296323832acbae50d2aff
First received: 11.20.2007 00:54:56 (CET)
Date: 07.01.2008 17:42:33 (CET) [<1D]
Results: 0/33

Attached Files

  • Attached File  log.txt   19.02KB   33 downloads


#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:37 AM

Posted 10 July 2008 - 02:39 AM

Hi,

Sorry for the delay. I missed my notification you replied.

Log looks much better & glad to hear things are working better.

Couple folders left to remove and a hijackthis fix to do.

Configure your system to show hidden files/folders.
How to if needed:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/
don't forget to hide files/folders when we are finished cleaning.

Locate & delete the following folders:

C:\Documents and Settings\Administrator\Application Data\rhcpp8j0eg2l
C:\Documents and Settings\S. Rahman\Application Data\rhcpp8j0eg2l

Empty recycle bin.

Open HIjackthis
Run system scan and check:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O15 - Trusted Zone: *.amaena.com


Close all open windows and hit "fix checked"
Say OK and exit HIjackthis when done.

REboot.

Post new Hijackthis log here along with log from the following:

If you already have used Kaspersky online scanner, please uninstall it via add/remove programs because this is a new version I need you to download.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Graphics tutorial available here if needed:

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

Let me know if everything is still running OK.
If I miss you again say within 24 hours --- please don't be shy to PM me.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 neo147

neo147
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 13 July 2008 - 03:41 PM

Hi Blender,

No worries about the delay.

Everythings running very smoothly now and I think we're pretty much done.

I did a new scan with Kaspersky bbut didnt bother saving the report as it contained nothing, no malware reported unlike last time.

This is new HJT log.

Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:41:10, on 13/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\IconLock\ICONLOCK.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IconHlprObj Class - {03183603-F684-11d2-A17F-00A0C90AE44B} - C:\PROGRA~1\IconLock\LockHlpr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IconLock] "C:\Program Files\IconLock\ICONLOCK.EXE"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201211255828
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7527 bytes

#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:37 AM

Posted 20 July 2008 - 05:23 AM

Hello,

Sorry about the delay again ... missed the noti

How is things running now? OK?
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 neo147

neo147
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 20 July 2008 - 08:59 AM

Hi Blender

Yep everythings fine now, all runing smoothly

I just need to delete previous system restore points and create and save new one now and that should be it.

Thanks for everything.

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:37 AM

Posted 21 July 2008 - 05:55 PM

Hi :thumbsup:

Good to hear & glad to help out.

We can uninstall Combofix now.
Doing this will also reset your system restore points as well.
It will also delete DSS.exe and what it dropped.
It will delete combofix and files it dropped.

If you already deleted Combofix then please download a new copy from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then do the following:

Click start> run> type:

ComboFix /U and hit enter.
Follow prompts.
It may ask for reboot to delete itself.

Since the HJT log is clean, here is some great information to help you stay clean and safe online:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

If you want to help speed up your system Miekiemoes has some great information here:
http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

Reply one more time please to let me know if all is still well.

Take care & surf safe!

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 neo147

neo147
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 27 July 2008 - 12:11 PM

Hi

Yep everythings fine and thanks for everything Blender

I'll definately bookmarks those links for future reference.

Thanks. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users