Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo Messenger Password Stealer


  • This topic is locked This topic is locked
2 replies to this topic

#1 Missy27

Missy27

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 04 July 2008 - 08:27 PM

I have recieved something in a program sent to me , it has installed itself somewhere within yahoo messenger (i believe) kaspersky picks it up as malware when i log into yahoo messenger, the closes out of the program. I have uninstalled messenger numerous times but it returns upon reinstallation. Whe i click on locate file with kaspersky it takes me to C:/ Program files /yahoo!/messenger i have 2 dat files here that im not sure if i should have or not. I have actually spoke to the person responisble for getting my password and asked him how to remove this, he has said reformat :-< Hope someone can help, I have exhausted every little but of knowledge i have on this one



Deckard's System Scanner v20071014.68
Run by janetadmin on 2008-07-05 09:55:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 3 Restore Point(s) --
3: 2008-07-04 14:58:32 UTC - RP799 - Installed Windows Live
2: 2008-07-04 14:26:49 UTC - RP798 - Windows Update
1: 2008-07-04 05:29:52 UTC - RP797 - Installed Kaspersky Internet Security 7.0.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (1024 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-05 09:58:04
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\tsnpstd3.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\microsoft shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\Macromed\Flash\FlashUtil9f.exe
C:\Users\janetadmin.home-pc\Desktop\dss.exe
C:\Windows\System32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.i-com.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\Windows\tsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} () - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{7822745B-F8E6-46C5-B20E-55DE2005A47B}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - C:\Windows\System32\slserv.exe
O23 - Service: SpywareBot Scanning Engine (SpywareBotSrv) - Unknown owner - C:\Program Files\SpywareBot\SpywareBot.srv.exe


--
End of file - 6405 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0012
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0012
Service: tunnel


-- Scheduled Tasks -------------------------------------------------------------

2008-07-05 08:47:42 438 --a------ C:\Windows\Tasks\RegCure Program Check.job
2008-07-05 00:41:38 254 --a------ C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
2008-07-03 03:27:00 372 --a------ C:\Windows\Tasks\RegCure.job


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-05 08:12:01 0 dr------- C:\Users\janetadmin.home-pc\Searches
2008-07-05 08:11:05 0 dr------- C:\Users\janetadmin.home-pc\Contacts
2008-07-05 08:09:58 0 d--hs---- C:\Users\janetadmin.home-pc\Templates
2008-07-05 08:09:58 0 d--hs---- C:\Users\janetadmin.home-pc\Start Menu
2008-07-05 08:09:58 0 d--hs---- C:\Users\janetadmin.home-pc\SendTo
2008-07-05 08:09:58 0 d--hs---- C:\Users\janetadmin.home-pc\Recent
2008-07-05 08:09:58 0 d--hs---- C:\Users\janetadmin.home-pc\PrintHood
2008-07-05 08:09:58 0 d--hs---- C:\Users\janetadmin.home-pc\NetHood
2008-07-05 08:09:58 0 d--hs---- C:\Users\janetadmin.home-pc\My Documents
2008-07-05 08:09:58 0 d--hs---- C:\Users\janetadmin.home-pc\Local Settings
2008-07-05 08:09:58 0 d--hs---- C:\Users\janetadmin.home-pc\Cookies
2008-07-05 08:09:58 0 d--hs---- C:\Users\janetadmin.home-pc\Application Data
2008-07-05 08:09:39 0 dr------- C:\Users\janetadmin.home-pc\Videos
2008-07-05 08:09:39 0 dr------- C:\Users\janetadmin.home-pc\Saved Games
2008-07-05 08:09:39 0 dr------- C:\Users\janetadmin.home-pc\Pictures
2008-07-05 08:09:39 0 dr------- C:\Users\janetadmin.home-pc\Music
2008-07-05 08:09:39 0 dr------- C:\Users\janetadmin.home-pc\Links
2008-07-05 08:09:39 0 dr------- C:\Users\janetadmin.home-pc\Favorites
2008-07-05 08:09:39 0 dr------- C:\Users\janetadmin.home-pc\Downloads
2008-07-05 08:09:39 0 dr------- C:\Users\janetadmin.home-pc\Documents
2008-07-05 08:09:39 0 dr------- C:\Users\janetadmin.home-pc\Desktop
2008-07-05 08:09:39 0 d--h----- C:\Users\janetadmin.home-pc\AppData
2008-07-05 08:09:38 786432 --ahs---- C:\Users\janetadmin.home-pc\NTUSER.DAT
2008-07-05 00:40:07 0 d-------- C:\Program Files\Windows Live Favorites
2008-07-04 23:10:41 75264 --a------ C:\Windows\system32\unacev2.dll
2008-07-04 23:10:40 153088 --a------ C:\Windows\system32\unrar3.dll
2008-07-04 22:44:24 0 d-------- C:\Users\All Users\Made in Indonesia
2008-07-04 15:05:33 96966 --a------ C:\Windows\system32\drivers\klin.dat
2008-07-04 15:05:33 88774 --a------ C:\Windows\system32\drivers\klick.dat
2008-07-04 15:02:20 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-07-04 15:02:20 0 d-------- C:\Program Files\Kaspersky Lab
2008-07-04 15:02:08 83089696 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2008-07-04 14:58:31 0 d-------- C:\kav
2008-06-26 14:08:34 0 d-------- C:\Program Files\Axis Communications
2008-06-26 13:17:44 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-06-26 11:32:58 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-22 18:15:47 0 d-------- C:\Windows\vbSkinner
2008-06-09 23:30:10 1160 --a------ C:\Windows\mozver.dat
2008-06-09 23:28:34 0 --a------ C:\Windows\nsreg.dat
2008-06-09 07:52:06 0 d-------- C:\Windows\system32\Evil BootFixed By S3rial-Killers


-- Find3M Report ---------------------------------------------------------------

2008-07-05 08:55:33 0 d-------- C:\Program Files\Yahoo!
2008-07-05 08:33:07 0 d-------- C:\Users\janetadmin.home-pc\AppData\Roaming\Macromedia
2008-07-05 08:15:37 0 d-------- C:\Users\janetadmin.home-pc\AppData\Roaming\Adobe
2008-07-05 08:11:13 0 d-------- C:\Users\janetadmin.home-pc\AppData\Roaming\Identities
2008-07-05 00:41:22 0 d-------- C:\Program Files\Windows Live Toolbar
2008-07-05 00:35:40 0 d-------- C:\Program Files\Windows Live
2008-07-05 00:34:25 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-04 21:53:30 0 d-------- C:\Program Files\Common Files
2008-06-28 07:38:06 0 d-------- C:\Program Files\VistaCodecPack
2008-06-28 07:38:06 0 d-------- C:\Program Files\SpywareBot
2008-06-26 11:34:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-14 09:01:03 174 --ahs---- C:\Program Files\desktop.ini
2008-06-14 08:44:45 0 d-------- C:\Program Files\Windows Calendar
2008-06-14 08:44:44 0 d-------- C:\Program Files\Windows Mail
2008-06-14 08:44:43 0 d-------- C:\Program Files\Windows Sidebar
2008-06-14 08:44:42 0 d-------- C:\Program Files\Movie Maker
2008-06-14 08:44:37 0 d-------- C:\Program Files\Windows Collaboration
2008-06-14 08:44:35 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-14 08:44:20 0 d-------- C:\Program Files\Windows Defender


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 05:08 PM]
"SoundMan"="SOUNDMAN.EXE" [10/03/2007 09:58 AM C:\Windows\SOUNDMAN.EXE]
"RegistryMechanic"="" []
"tsnpstd3"="C:\Windows\tsnpstd3.exe" [30/03/2007 04:44 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/08/2007 02:18 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [08/02/2008 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [30/08/2007 05:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-05 10:06:23 ------------






Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Basic (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.53GHz
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 502.83 MiB / 148.53 MiB
Pagefile Memory (total/avail): 1501.66 MiB / 961.36 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 46.95 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SP0822N ATA Device - 74.56 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab) Disabled
AS: AVG Anti-Virus v8.0 (AVG Technologies) Disabled
AS: AVG Anti-Spyware v7, 5, 1, 36 (GRISOFT s.r.o.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab) Disabled
AS: SpywareBot v ()

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\janetadmin.home-pc\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-PC
ComSpec=C:\Windows\system32\cmd.exe
configsetroot=C:\Windows\ConfigSetRoot
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\janetadmin.home-pc
LOCALAPPDATA=C:\Users\janetadmin.home-pc\AppData\Local
LOGONSERVER=\\HOME-PC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\JANETA~1.HOM\AppData\Local\Temp
TMP=C:\Users\JANETA~1.HOM\AppData\Local\Temp
USERDOMAIN=home-pc
USERNAME=janetadmin
USERPROFILE=C:\Users\janetadmin.home-pc
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

janet
shaun
janetadmin.home-pc


-- Add/Remove Programs ---------------------------------------------------------

2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office system --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROHYBRIDR /dll OSETUP.DLL
32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Activation Assistant for the 2007 Microsoft Office suites --> "C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
FrostWire 4.13.5 --> C:\Program Files\FrostWire\Uninstall.exe
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HP Driver Diagnostics --> MsiExec.exe /I{ED3F469E-D9EC-4DF1-968F-5812CE2F30F8}
HP Imaging Device Functions 8.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP OCR Software 8.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B --> C:\Program Files\HP\Digital Imaging\{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}\setup\hpzscr01.exe -datfile hposcr19.dat -onestop -showdisconnect -forcereboot
HP Product Detection --> MsiExec.exe /I{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP Solution Center 8.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
Java DB 10.2.2.0 --> MsiExec.exe /X{0ECB59D5-A3FC-4D61-AD3B-6CE679B3F852}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Development Kit 6 Update 2 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160020}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Hybrid 2007 --> MsiExec.exe /X{91120000-0031-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSI Star Cam 370i --> C:\Program Files\InstallShield Installation Information\{ECD03DA7-5952-406A-8156-5F0C93618D1F}\setup.exe -runfromtemp -l0x0009 -removeonly
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
OpenOffice.org 2.1 --> MsiExec.exe /I{43983EB4-43DC-4C3D-9712-1EF592A31CA8}
QuickTime --> C:\Windows\unvise32qt.exe C:\Windows\system32\QuickTime\Uninstall.log
Realtek AC'97 Audio --> Alcrmv.exe -r -m
RegCure 1.5.0.0 --> C:\Program Files\RegCure\uninst.exe
Registry Mechanic 6.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Roxio CinePlayer DVD Decoder for Windows Vista --> MsiExec.exe /I{CD93976F-D5AC-4C70-805A-9D5BB2210D08}
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
TSP_CODEC --> C:\Program Files\Bytescribe\TSP_CODEC\Uninst.exe /pid:{A90C03D6-08E1-4C59-B93B-6919A6C0AC19} /asd
Update for Office 2007 (KB946691) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
WinZip 11.2 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type28180 / Error
Event Submitted/Written: 07/05/2008 09:27:01 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6001.18000, time stamp 0x47918f11, faulting module smamen.dll, version 3.1.0.146, time stamp 0x4718f60d, exception code 0xc0000005, fault offset 0x0001f0ac,
process id 0xfc, application start time 0xiexplore.exe0.

Event Record #/Type28178 / Error
Event Submitted/Written: 07/05/2008 08:52:02 AM
Event ID/Source: 10 / WinMgmt
Event Description:
//./root/SecurityCenterSELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'0x80042002

Event Record #/Type28176 / Success
Event Submitted/Written: 07/05/2008 08:51:44 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type28171 / Success
Event Submitted/Written: 07/05/2008 08:48:13 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type28167 / Success
Event Submitted/Written: 07/05/2008 08:48:01 AM
Event ID/Source: 5617 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type87077 / Warning
Event Submitted/Written: 07/05/2008 09:58:37 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%home-pc27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %home-pc27 can't undo changes that you allow.

For more information please see the following:
%home-pc275

Scan ID: {257C4B41-A998-4B78-9E1B-EDF99E04578F}

User: home-pc\janetadmin

Name: %home-pc271

ID: %home-pc272

Severity ID: %home-pc273

Category ID: %home-pc274

Path Found: %home-pc276

Alert Type: %home-pc278

Detection Type: 1.1.1600.02

Event Record #/Type87076 / Warning
Event Submitted/Written: 07/05/2008 09:58:37 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%home-pc27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %home-pc27 can't undo changes that you allow.

For more information please see the following:
%home-pc275

Scan ID: {A0A803D5-586E-4E5A-AF65-3351988F118D}

User: home-pc\janetadmin

Name: %home-pc271

ID: %home-pc272

Severity ID: %home-pc273

Category ID: %home-pc274

Path Found: %home-pc276

Alert Type: %home-pc278

Detection Type: 1.1.1600.02

Event Record #/Type87075 / Warning
Event Submitted/Written: 07/05/2008 09:58:37 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%home-pc27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %home-pc27 can't undo changes that you allow.

For more information please see the following:
%home-pc275

Scan ID: {C494A1AF-580C-4B80-95D7-0CF9172900C8}

User: home-pc\janetadmin

Name: %home-pc271

ID: %home-pc272

Severity ID: %home-pc273

Category ID: %home-pc274

Path Found: %home-pc276

Alert Type: %home-pc278

Detection Type: 1.1.1600.02

Event Record #/Type87074 / Warning
Event Submitted/Written: 07/05/2008 09:58:37 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%home-pc27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %home-pc27 can't undo changes that you allow.

For more information please see the following:
%home-pc275

Scan ID: {1A04143C-AE60-4B79-89A9-3D3907EBCB98}

User: home-pc\janetadmin

Name: %home-pc271

ID: %home-pc272

Severity ID: %home-pc273

Category ID: %home-pc274

Path Found: %home-pc276

Alert Type: %home-pc278

Detection Type: 1.1.1600.02

Event Record #/Type87072 / Error
Event Submitted/Written: 07/05/2008 09:58:31 AM
Event ID/Source: 7016 / Service Control Manager
Event Description:
SmartLinkService0



-- End of Deckard's System Scanner: finished at 2008-07-05 10:06:23 ------------





I have kaspersky anti virus installed this is from my reports files for the past 2 days

Protection : running
--------------------
Total scanned: 225
Detected: 4
Untreated: 0
Attacks blocked: 0
Start time: 5/07/2008 10:54:43 AM
Duration: 00:01:12


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-PSW.Win32.Agent.jzx File: C:\Applications\njwab\maz.dll
deleted: Trojan program Trojan-PSW.Win32.Agent.jzx File: C:\Windows\iowin.dll
detected: riskware Hidden data sending Running process: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
detected: riskware Hidden data sending Running process: C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

BC AdBot (Login to Remove)

 


m

#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:40 AM

Posted 24 July 2008 - 12:47 PM

Hello

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.
  • Please make a DSS scan:
    • Click Start and then Run to bring up the Run box.
    • Copy and paste the contents of this quote box into the run box:

      "%userprofile%\desktop\dss.exe" /config

    • Close all other open windows.
    • Click OK.
    • A window will now open. Click Check All and then click Scan!.
    • When the scan is complete, two text files will open in Notepad:
      • main.txt <- this one will be maximized
      • extra.txt <- this one will be minimized
    • If not, they both can be found in the C:\Deckard\System Scanner folder.
    • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
  • Please run a full/complete scan with Kasperskey and copy and paste the log to your reply.


#3 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:40 AM

Posted 31 July 2008 - 12:15 AM

Due to lack of the feeback this thread is closed.

If you need to reopen it please send a private message to your help or moderator.

This applies to original starter only; everyone else should start a new thread.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users