Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring Problems With Trojans (downloader, Others?)


  • This topic is locked This topic is locked
12 replies to this topic

#1 mm88

mm88

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 11 August 2008 - 06:37 AM

Hi,

A few days ago I noticed some strange behaviour of my computers (e.g. connecting to "dt.tongji.cn.yahoo.com" during any web page load).
I ran a number of available programs / scanners, removed suspicious files, updated Windows, java, etc.
Seems to be a bit better, but I still get positives from antimalware programs.

Please help me to remove anything that's left!

Attached are the DSS logs and Kaspersky online:

Deckard's System Scanner v20071014.68
Run by Marek on 2008-08-11 13:18:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
22: 2008-08-11 11:18:27 UTC - RP141 - Deckard's System Scanner Restore Point
21: 2008-08-11 10:06:14 UTC - RP140 - Removed Symantec AntiVirus
20: 2008-08-09 18:36:18 UTC - RP139 - Installed Java™ 6 Update 7
19: 2008-08-09 18:27:02 UTC - RP138 - Removed Java™ 6 Update 5
18: 2008-08-09 18:26:25 UTC - RP137 - Removed Java™ 6 Update 3


-- First Restore Point --
1: 2008-07-18 01:13:43 UTC - RP120 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.04 GiB (less than 15%) free.


-- HijackThis (run as Marek.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:23, on 11/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Mapps\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\eXPert PDF\vspdfprsrv.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HDD Health\hddhealth.exe
C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe
C:\Mapps\USB Safely Remove\USBSafelyRemove.exe
C:\Documents and Settings\Marek\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
E:\Marek\Soft\Antyvir\Marek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFFFF-D71D-41e4-A699-F506DBD097F0} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vspdfprsrv.exe] C:\Program Files\eXPert PDF\vspdfprsrv.exe --background
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AntiSpyWare2Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O4 - HKCU\..\Run: [USB Safely Remove] C:\Mapps\USB Safely Remove\USBSafelyRemove.exe /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\Mapps\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\Mapps\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://ebrdremote.ebrd.com/citrix/wfica.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191100253734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Mapps\Macrium\Reflect\ReflectService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9348 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>
R3 ULCDRHlp - c:\windows\system32\drivers\ulcdrhlp.sys <Not Verified; Ulead Systems, Inc.; Ulead CD/DVD Burning Engine>
R3 USR_Find_Handle - c:\mapps\usb safely remove\usrfindhandle.sys <Not Verified; SafelyRemove.com; USB Safely Remove auxiliary driver>

S1 Uim_IM (UIM Drive Backup Image Plugin) - c:\windows\system32\drivers\uim_im.sys (file missing)
S1 UimBus (Universal Image Mounter Controller) - c:\windows\system32\drivers\uimbus.sys (file missing)
S2 WalkieTVTunerLoader (WinFast WalkieTV Firmware Loader) - c:\windows\system32\drivers\wtloader.sys <Not Verified; Leadtek Research Inc.; WinFast WalkieTV>
S3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 WalkieTV (WinFast WalkieTV WDM Capture Driver.) - c:\windows\system32\drivers\walkietv.sys <Not Verified; Leadtek Research Inc.; WinFast WalkieTV>
S3 WFIOCTL - c:\program files\winfast\wftvfm\wfioctl.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter
Device ID: USB\VID_0BDA&PID_8187\0015AF1A7323
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter
PNP Device ID: USB\VID_0BDA&PID_8187\0015AF1A7323
Service: RTLWUSB


-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2008-08-11 12:29:35 0 d-------- C:\Documents and Settings\Marek\Application Data\USBSafelyRemove
2008-08-09 20:37:57 0 d-------- C:\WINDOWS\Sun
2008-08-09 20:36:26 0 d-------- C:\Program Files\Java
2008-08-09 20:36:25 0 d-------- C:\Program Files\Common Files\Java
2008-08-09 20:34:44 0 d-------- C:\Documents and Settings\Marek\Application Data\Sun
2008-08-09 20:28:01 102 --a------ C:\WINDOWS\system32\unxxx.bat
2008-08-09 20:26:45 0 d-------- C:\WINDOWS\system32\appmgmt
2008-08-07 23:28:47 68096 --a------ C:\WINDOWS\zip.exe
2008-08-07 23:28:47 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-07 23:28:47 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-07 23:28:47 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-07 23:28:47 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-07 23:28:47 98816 --a------ C:\WINDOWS\sed.exe
2008-08-07 23:28:47 80412 --a------ C:\WINDOWS\grep.exe
2008-08-07 23:28:47 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-05 02:27:32 0 d-------- C:\Program Files\Process Explorer v11.20
2008-08-05 01:06:52 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-08-05 00:47:43 0 d-------- C:\WINDOWS\Prefetch
2008-08-05 00:42:29 0 d-------- C:\WINDOWS\system32\scripting
2008-08-05 00:42:29 0 d-------- C:\WINDOWS\system32\en
2008-08-05 00:42:29 0 d-------- C:\WINDOWS\l2schemas
2008-08-05 00:42:28 0 d-------- C:\WINDOWS\system32\bits
2008-08-05 00:41:08 0 d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 02:27:46 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-07-18 13:40:16 0 d-------- C:\Program Files\Spyware Doctor
2008-07-18 13:40:16 0 d-------- C:\Documents and Settings\Marek\Application Data\PC Tools
2008-07-18 13:29:23 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-18 13:14:45 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-16 01:45:44 0 d-------- C:\Program Files\ASUS
2008-07-12 23:48:51 0 d-------- C:\Program Files\RuntimeSoft
2008-07-12 03:46:15 0 d-------- C:\Program Files\Kroll Ontrack
2008-07-11 09:47:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Macrium


-- Find3M Report ---------------------------------------------------------------

2008-08-11 12:16:01 0 d-------- C:\Program Files\HDD Health
2008-08-11 12:07:13 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-11 12:07:03 0 d-------- C:\Program Files\Symantec
2008-08-11 12:07:01 0 d-------- C:\Program Files\Symantec AntiVirus
2008-08-10 15:16:22 0 d-------- C:\Program Files\eXPert PDF
2008-08-10 01:18:00 0 d-------- C:\Program Files\Messenger
2008-08-09 20:36:25 0 d-------- C:\Program Files\Common Files
2008-08-09 10:53:29 0 d-------- C:\Documents and Settings\Marek\Application Data\cPicture
2008-08-07 14:42:13 0 d-------- C:\Program Files\Ashampoo
2008-08-05 00:42:28 0 d-------- C:\Program Files\Movie Maker
2008-08-05 00:40:56 0 d-------- C:\Program Files\Windows NT
2008-07-20 10:04:29 0 d-------- C:\Program Files\Avidemux 2.4
2008-07-16 01:45:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-11 17:46:08 0 d-------- C:\Program Files\Opera
2008-07-02 23:41:03 0 d-------- C:\Program Files\MirskiySolutions


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-D71D-41e4-A699-F506DBD097F0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [29/09/2007 03:16]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [20/03/2007 08:36]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [21/03/2007 10:23]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 20:51]
"MaxBlastMonitor.exe"="C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [08/08/2007 17:26]
"AcronisTimounterMonitor"="C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe" [08/08/2007 17:39]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe" [08/08/2007 17:31]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [07/09/2006 19:19]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12/01/2006 15:40]
"vspdfprsrv.exe"="C:\Program Files\eXPert PDF\vspdfprsrv.exe" [04/05/2006 07:58]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [24/04/2007 16:59]
"BluetoothAuthenticationAgent"="bthprops.cpl" [14/04/2008 02:12 C:\WINDOWS\system32\bthprops.cpl]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [18/12/2006 21:34]
"AntiSpyWare2Guard"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe" [13/03/2008 15:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UIWatcher"="C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe" [04/02/2005 23:36]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [24/04/2007 16:59]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42]
"HDDHealth"="C:\Program Files\HDD Health\hddhealth.exe" [24/06/2005 09:17]
"PMCLoader"="C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe" [30/05/2007 12:25]
"USB Safely Remove"="C:\Mapps\USB Safely Remove\USBSafelyRemove.exe" [28/07/2008 13:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1214FBE7-4464-4A7E-9958-B5851A7A30A3}"= C:\Mapps\RecentX\RXShell.dll [29/04/2008 16:28 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61b5c941-3263-11dd-b5b5-001bfcc1c8d1}]
AutoRun\command- Q:\USBNB.exe

*Newly Created Service* - USR_FIND_HANDLE



-- Hosts -----------------------------------------------------------------------

127.0.0.1 dt.tongji.cn.yahoo.com
127.0.0.1 js.tongji.cn.yahoo.com
127.0.0.1 cn.yahoo.com


-- End of Deckard's System Scanner: finished at 2008-08-11 13:20:57 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
Percentage of Memory in Use: 20%
Physical Memory (total/avail): 3327.04 MiB / 2629.04 MiB
Pagefile Memory (total/avail): 5212.52 MiB / 4705.67 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.47 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 40 GiB total, 3.04 GiB free.
D: is CDROM (CDFS)
E: is Fixed (NTFS) - 258.08 GiB total, 3.89 GiB free.
F: is Fixed (NTFS) - 288.08 GiB total, 22.18 GiB free.
O: is CDROM (UDF)
V: is Fixed (NTFS) - 931.51 GiB total, 718.5 GiB free.
W: is Fixed (NTFS) - 931.51 GiB total, 0.79 GiB free.
X: is Fixed (NTFS) - 298.09 GiB total, 1.77 GiB free.
Y: is Fixed (NTFS) - 298.09 GiB total, 1.02 GiB free.
Z: is Fixed (FAT32) - 9.99 GiB total, 3.9 GiB free.

\\.\PHYSICALDRIVE4 - SAMSUNG HD103UJ - 931.51 GiB - 1 partition
\PARTITION0 - Installable File System - 931.51 GiB - W:

\\.\PHYSICALDRIVE2 - ST3320620NS - 298.09 GiB - 2 partitions
\PARTITION0 - Unknown - 10 GiB - Z:
\PARTITION1 - Extended w/Extended Int 13 - 288.08 GiB - F:

\\.\PHYSICALDRIVE3 - ST3320620NS - 298.09 GiB - 1 partition
\PARTITION0 - Installable File System - 298.09 GiB - Y:

\\.\PHYSICALDRIVE1 - ST3320620NS - 298.09 GiB - 1 partition
\PARTITION0 - Installable File System - 298.09 GiB - X:

\\.\PHYSICALDRIVE0 - ST3320620NS - 298.09 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 40 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 258.08 GiB - E:

\\.\PHYSICALDRIVE5 - SAMSUNG HD103UJ SCSI Disk Device - 931.51 GiB - 1 partition
\PARTITION0 - Installable File System - 931.51 GiB - V:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Marek\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MM-DESKTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Marek
LOGONSERVER=\\MM-DESKTOP
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=Z:\Temp
TMP=z:\Temp
USERDOMAIN=MM-DESKTOP
USERNAME=Marek
USERPROFILE=C:\Documents and Settings\Marek
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Marek (admin)
Luiza (new local, admin)
Xenia (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Anti-Malware 3.5 --> "C:\Program Files\a-squared Anti-Malware\unins000.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
All My Movies 4.9 GAOTD --> "C:\Mapps\AllMyMovies\unins000.exe"
Ashampoo AntiSpyWare 2.02 --> "C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\unins000.exe"
Ashampoo Magical Optimizer --> "C:\Program Files\Ashampoo\Ashampoo Magical Optimizer\Uninstall\1406_Uninstall.exe"
Ashampoo UnInstaller Platinum Suite --> "C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\Uninstall\UIP_Uninstall.exe"
ASUS WiFi-AP Solo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B3F4499-32E6-470D-8586-E6C03420F889}\Setup.exe" -l0x9 REMOVE
ASUSUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\setup.exe" -l0x9
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avidemux 2.4 --> C:\Program Files\Avidemux 2.4\uninstall.exe
CmdHere Powertoy For Windows XP --> MsiExec.exe /I{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}
COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
Disk Checker --> C:\Mapps\Disk Checker\uninstall.exe
Disk Investigator 1.4 --> C:\Mapps\Disk Investigator\uninst.exe
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
EasyRecovery --> "C:\Program Files\Kroll Ontrack\EasyRecovery\unins000.exe"
EverNote --> C:\Program Files\InstallShield Installation Information\{00C297B1-02F3-4BEE-8B57-7BCA695A41DA}\setup.exe -runfromtemp -l0x0009 -removeonly
eXPert PDF 4 --> MsiExec.exe /X{A6E92CAB-9E63-46DC-8ABF-0CAFF7B7CD02}
ffdshow [rev 1925] [2008-04-05] --> "C:\Program Files\ffdshow\unins000.exe"
Free Video Dub version 1.2 --> "C:\Program Files\DVDVideoSoft\Free Video Dub\unins000.exe"
FreeCommander 2007.10a --> "C:\Mapps\FreeCommander\unins000.exe"
GetDataBack for NTFS --> "C:\Program Files\RuntimeSoft\GetDataBack for NTFS\Uninstall.exe" "C:\Program Files\RuntimeSoft\GetDataBack for NTFS\install.log" -u
GIMP 2.4.4 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
Hard Drive Test Pilot 2.6 --> "C:\Program Files\MirskiySolutions\HDTP\unins000.exe"
HD Tune 2.54 --> "C:\Program Files\HD Tune\unins000.exe"
HDD Health v2.1 Beta --> "C:\Program Files\HDD Health\unins000.exe"
High Definition Audio Driver Package - KB888111 --> C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "E:\Marek\Soft\Antyvir\HijackThis.exe" /uninstall
HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Document Viewer 7.0 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Photosmart Premier Software 6.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photosmart, Officejet and Deskjet 7.0.A --> C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Inca Ball 1.01 --> "C:\Mapps\Games\Inca Ball\unins000.exe"
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
JMB36X Raid Configurer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe" -l0x9 -removeonly
Jupiter 2007 Standard --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{76F60DF7-F02D-493B-9BF4-AC6C3C4DB08F}
Jupiter 2007 Standard --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7EF7A6C-3BAD-45D4-B98B-22972FE76870}
jv16 PowerTools 1.3 --> "C:\Program Files\jv16 PowerTools\unins000.exe"
LiveUpdate 2.7 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Macrium Reflect - Free Edition --> MsiExec.exe /I{557DB66F-8DFF-4770-972B-24AEA12506D5}
Mad Cars --> "C:\Mapps\REALORE\Mad Cars\unins000.exe"
MagicTweak Version 4.11 --> "C:\Mapps\Mgtweak\unins000.exe"
Maxtor MaxBlast --> MsiExec.exe /X{81A60A13-224D-4637-8203-3EAC03B121A4}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 6 --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NikSaver 1.6 --> "M:\Mapps\NikSaver\unins000.exe"
OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
Opera 9.51 --> MsiExec.exe /X{179624B1-2683-45ED-965A-B72189EB5820}
PC Inspector File Recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}\Setup.exe" -l0x9
PDF Image Extraction Wizard 2.0 --> "C:\Program Files\PDF Image Extraction Wizard 2.0\unins000.exe"
Pinnacle TVCenter Pro --> "C:\Program Files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exe"UNINSTALL /l0x0009
PowerCmd 1.7.219 --> "C:\Mapps\PowerCmd\unins000.exe"
PPTminimizer --> "P:\Mapps\PPTminimizer\unins000.exe"
ProjectX 0.90.4.00 --> C:\Program Files\ProjectX_0.90.4.00\Uninstall.exe
QPT v508 --> MsiExec.exe /I{1CD589E6-D24E-4957-BF82-941509628813}
Race Cars 1.0 --> "C:\Program Files\Games\Race Cars\unins000.exe"
REALTEK GbE & FE Ethernet PCI NIC Driver --> C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\Setup.exe -runfromtemp -l0x0009 -removeonly
RecentX 2.0 --> "C:\Mapps\RecentX\unins000.exe"
Recover Files 2.1 --> "C:\Mapps\Recover Files\unins000.exe"
Recover My Files --> "C:\Mapps\GetData\Recover My Files\unins000.exe"
Recuva (remove only) --> "C:\Mapps\Recuva\uninst.exe"
Rozliczenie Roczne Rzeczpospolitej 2007 --> "c:\Mapps\RP PIT 2007\Odinstaluj.exe"
RQ Search and Replace 1.82 --> "C:\Mapps\RQ Search and Replace\unins000.exe"
save2pc Light 3.27 --> "C:\Mapps\FDRLab\save2pc\unins000.exe"
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SwiftCompare 1.3 --> "C:\Mapps\SwiftCompare\unins000.exe"
Symantec Ghost Standard Tools --> MsiExec.exe /I{B8C29E2A-23D3-48BF-0B1E-5F3EFABF1010}
Theseus and the Minotaur --> C:\Mapps\Games\Theseus and the Minotaur\uninstall.exe
think-cell chart --> MsiExec.exe /X{B6459B1C-3BC2-435C-92DC-0C7C68E03A6A}
Tiny Cars 2 --> "C:\Mapps\Games\Tiny Cars 2\unins000.exe"
Turtle Odyssey --> "C:\Mapps\Games\Turtle Odyssey\unins000.exe"
Turtle Odyssey 2 --> "C:\Mapps\Games\Turtle Odyssey 2\unins000.exe"
Undelete Plus 2.71 --> "C:\Mapps\FDRLab\Undelete Plus\unins000.exe"
UndeleteMyFiles --> "C:\Mapps\UndeleteMyFiles\unins000.exe"
Unlocker 1.8.5 --> C:\Program Files\Unlocker\uninst.exe
USB Safely Remove 4.0 beta 6 --> "C:\Mapps\USB Safely Remove\unins000.exe"
VideoGet --> "C:\Mapps\Nuclear Coffee\VideoGet\unins000.exe"
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VLC\uninstall.exe
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinFast PVR --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{934519A2-4D50-4B83-A459-92D90E9E3188}\setup.exe" -l0x9 -removeonly
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WinZip Command Line Support Add-On 1.1 --> C:\Program Files\WinZip\winzip32 /auninstall wzcline
XML Paper Specification Shared Components Pack 1.0 -->
ZC Video Converter 1.2.1 --> "C:\Program Files\ZC Video Converter\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type7050 / Error
Event Submitted/Written: 08/11/2008 01:20:00 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type7039 / Warning
Event Submitted/Written: 08/11/2008 00:05:59 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{46B63F23-2B4A-4525-A827-688026BE5E40}', feature 'SAVUI' failed during request for component '{0ABF6425-272D-4795-9BD8-F2428110EC95}'

Event Record #/Type7038 / Warning
Event Submitted/Written: 08/11/2008 00:05:59 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{46B63F23-2B4A-4525-A827-688026BE5E40}', feature 'SAVMain', component '{8BF1B138-A274-46F2-8FC4-B98349B10D2D}' failed. The resource 'HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\ProductControl\RoamClient' does not exist.

Event Record #/Type7024 / Warning
Event Submitted/Written: 08/11/2008 11:24:51 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{46B63F23-2B4A-4525-A827-688026BE5E40}', feature 'SAVUI' failed during request for component '{0ABF6425-272D-4795-9BD8-F2428110EC95}'

Event Record #/Type7023 / Warning
Event Submitted/Written: 08/11/2008 11:24:51 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{46B63F23-2B4A-4525-A827-688026BE5E40}', feature 'SAVMain', component '{8BF1B138-A274-46F2-8FC4-B98349B10D2D}' failed. The resource 'HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\ProductControl\RoamClient' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type29970 / Warning
Event Submitted/Written: 08/11/2008 01:11:34 PM
Event ID/Source: 52 / Disk
Event Description:
The driver has detected that device \Device\Harddisk4\DR4 has predicted that it will fail.
Immediately back up your data and replace your hard disk drive. A failure
may be imminent.

Event Record #/Type29963 / Warning
Event Submitted/Written: 08/11/2008 00:13:13 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 00308D000001. The IP address being used is 169.254.46.2.

Event Record #/Type29951 / Error
Event Submitted/Written: 08/11/2008 00:12:16 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The WinFast WalkieTV Firmware Loader service failed to start due to the following error:
%%1058

Event Record #/Type29933 / Error
Event Submitted/Written: 08/11/2008 00:00:09 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The HP Port Resolver service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type29923 / Error
Event Submitted/Written: 08/11/2008 11:59:40 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The HP Port Resolver service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-08-11 13:20:57 ------------



KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 10, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 09, 2008 23:02:10
Records in database: 1076457

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
O:\
V:\
W:\
X:\
Y:\
Z:\

Scan statistics
Files scanned 95000
Threat name 9
Infected objects 11
Suspicious objects 0
Duration of the scan 01:13:51

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00001.VBN Infected: Trojan-Dropper.Win32.Pincher.bs 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E340047.VBN Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E340048.VBN Infected: Trojan-Spy.Win32.Banker.lfj 1

C:\Documents and Settings\Marek\Local Settings\Application Data\Opera\Opera\profile\cache4\opr01MQ4 Infected: Trojan-Downloader.JS.Timul.cv 1

C:\Documents and Settings\Marek\Local Settings\Temporary Internet Files\Content.IE5\FEP899L0\sw[1].exe Infected: Trojan-Downloader.Win32.Small.zgf 1

C:\Program Files\Ashampoo\Ashampoo Magical Optimizer\quit_app.exe Infected: Trojan-Downloader.Win32.Delf.kao 1

C:\Program Files\Messenger\msgmr.dll Infected: Trojan-Downloader.Win32.Agent.yuv 1

C:\WINDOWS\Fonts\Framdee.ttf Infected: Trojan-Downloader.Win32.Small.yvn 1

E:\Marek\Soft\Ashampoo Magical Optimizer 1.22.exe Infected: Trojan-Downloader.Win32.Delf.kao 1

E:\Marek\Soft\Nero6\Nero-6.6.1.15a.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1

Z:\Temp\orz.exe Infected: Trojan-Downloader.Win32.Small.zgf 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:04:52 PM

Posted 23 August 2008 - 09:53 PM

  • Hello and welcome to BC

    We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

    If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

    Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

    Thanks and again sorry for the delay.

    First
    Seeing its been a number of days since your original scanning with HJT could you please run HJT now and post a fresh HJT log back to this topic please.

    Next

  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into this topic please,


    Next
    Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.[list]
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

    In recap please post back the requested info from above
  • Fresh HJT log
  • Uninstall List
  • Log from the Kaspersky scan


#3 mm88

mm88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 25 August 2008 - 02:35 PM

Hi,

I greatly appreciate what you guys do for us, so no need to be sorry for the delay.
Since my last post I did a few scans with various tools and a few upgrades (Windows, java, Acrobat Reader, etc.) and cleaned temp folders a few times between upgrades.

I do not get any warnings from Avast or Kaspersky any more, however, from time to time, I see that the following line is inserted on top of some pages (including this one, while I am posting the reply):
&lt;script language="javascript" SRC="http://v.freefl.info/day.js">
I added a few entries to the 'hosts' file hoping to block data exchange, but I do not know how to get rid of it completely.

I have the same problem on my laptop.

Below there are the logs you asked for. With Kaspersky I scanned only drives C:, E: and Z:, containing the system, various files (e.g. downloaded soft) and temp files respectively. Other disks contain only data, almost solely mpeg and avi files. Scanning them would take me several more hours, so I skipped them.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:40:02, on 25/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Mapps\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\eXPert PDF\vspdfprsrv.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HDD Health\hddhealth.exe
C:\Mapps\USB Safely Remove\USBSafelyRemove.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFFFF-D71D-41e4-A699-F506DBD097F0} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vspdfprsrv.exe] C:\Program Files\eXPert PDF\vspdfprsrv.exe --background
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AntiSpyWare2Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl
O4 - HKCU\..\Run: [USB Safely Remove] C:\Mapps\USB Safely Remove\USBSafelyRemove.exe /startup
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: PopTray.lnk = C:\Mapps\PopTray\PopTray.exe
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\Mapps\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\Mapps\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virussca...can_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://ebrdremote.ebrd.com/citrix/wfica.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191100253734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Mapps\Macrium\Reflect\ReflectService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10360 bytes





Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.1
All My Movies 4.9 GAOTD
Ashampoo AntiSpyWare 2.02
Ashampoo Magical Optimizer
Ashampoo UnInstaller Platinum Suite
a-squared Anti-Malware 3.5
ASUS WiFi-AP Solo
ASUSUpdate
ATI Display Driver
avast! Antivirus
Avidemux 2.4
CmdHere Powertoy For Windows XP
COMODO Firewall Pro
DiffDaff Version 1.0
Disk Checker
Disk Investigator 1.4
DivX
EasyRecovery
Eraser
Eraser
EverNote
eXPert PDF 4
ffdshow [rev 1925] [2008-04-05]
Free Video Dub version 1.2
FreeCommander 2007.10a
GetDataBack for NTFS
GIMP 2.4.4
Hard Drive Test Pilot 2.6
HD Tune 2.54
HDD Health v2.1 Beta
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
Inca Ball 1.01
Java™ 6 Update 7
JMB36X Raid Configurer
Jupiter 2007 Standard
Jupiter 2007 Standard
jv16 PowerTools 1.3
Kaspersky Online Scanner
LiveUpdate 2.7 (Symantec Corporation)
Macrium Reflect - Free Edition
Mad Cars
MagicTweak Version 4.11
Maxtor MaxBlast
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nero 6
NikSaver 1.6
OCR Software by I.R.I.S 7.0
Opera 9.51
PC Inspector File Recovery
PDF Image Extraction Wizard 2.0
Pinnacle TVCenter Pro
PopTray 3.20
PopTray Plug-ins (beta 6)
PowerCmd 1.7.219
PPTminimizer
ProjectX 0.90.4.00
QPT v508
Race Cars 1.0
REALTEK GbE & FE Ethernet PCI NIC Driver
RecentX 2.0
Recover Files 2.1
Recover My Files
Recuva (remove only)
Rozliczenie Roczne Rzeczpospolitej 2007
RQ Search and Replace 1.82
save2pc Light 3.27
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Skype™ 3.6
SoundMAX
Spybot - Search & Destroy
Spyware Doctor 5.5
SwiftCompare 1.3
Symantec Ghost Standard Tools
Theseus and the Minotaur
think-cell chart
Tiny Cars 2
Turtle Odyssey
Turtle Odyssey 2
Undelete Plus 2.71
UndeleteMyFiles
Unlocker 1.8.5
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
USB Safely Remove 4.0 beta 6
VideoGet
VideoLAN VLC media player 0.8.6c
VirusTotal Uploader
Windows Imaging Component
Windows XP Service Pack 3
WinFast PVR
WinZip
WinZip Command Line Support Add-On 1.1
Wise Disk Cleaner 3.6.1
ZC Video Converter 1.2.1



KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 24, 2008 23:41:04
Records in database: 1141523

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
C:\

Scan statistics
Files scanned 65220
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:31:04

No malware has been detected. The scan area is clean.
The selected area was scanned.



KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 24, 2008 23:41:04
Records in database: 1141523

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
Z:\

Scan statistics
Files scanned 868
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:01:18

No malware has been detected. The scan area is clean.
The selected area was scanned.



KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 24, 2008 23:41:04
Records in database: 1141523

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
E:\

Scan statistics
Files scanned 13650
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 00:24:27

File name Threat name Threats count
E:\Marek\Soft\Nero6\Nero-6.6.1.15a.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1

The selected area was scanned.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:52 PM

Posted 28 August 2008 - 08:27 PM

Hello, mm88.
We have to remove some entries in HiJack This
  • Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
    O2 - BHO: (no name) - {FFFFFFFF-D71D-41e4-A699-F506DBD097F0} - (no file)
  • Close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
I don't see any malware here, are you still having problems?

In your next reply, please include the following:
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:52 PM

Posted 30 August 2008 - 05:06 PM

Hello, mm88.
Are you still here?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 mm88

mm88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 31 August 2008 - 03:54 AM

Hi Billy3,

I appreciate your help very much!

I did as advised, additionally deleting all the temp files of IE and Opera, and ... noticed that strange behaviour again. It takes some time before it starts - this time I had not noticed anything strange for a day, before it started again.

This time the following code is injected:
<script language="javascript" SRC="http://ads.633f94d3.info/day.js">
So the same damned day.js script, but from a different address.

It also happend a few times that my internet connection got broken. My second computer remained connected. Restarting router did not help, disabling and enabling the card did not help, repairing did not work (just waiting for a new IP from the DHCP server with no result). Only rebooting did help.
On my second computer I see another strange thing: the size of files in Windows Explorer are not split in 3-digit sections with dots - just digits. A few times I could see some of the files with dots, some without in the same folder.

Fresh HJT log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:05, on 31/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Mapps\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\eXPert PDF\vspdfprsrv.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HDD Health\hddhealth.exe
C:\Mapps\USB Safely Remove\USBSafelyRemove.exe
C:\Program Files\Eraser\Eraser.exe
C:\Mapps\PopTray\PopTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vspdfprsrv.exe] C:\Program Files\eXPert PDF\vspdfprsrv.exe --background
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AntiSpyWare2Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl
O4 - HKCU\..\Run: [USB Safely Remove] C:\Mapps\USB Safely Remove\USBSafelyRemove.exe /startup
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: PopTray.lnk = C:\Mapps\PopTray\PopTray.exe
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\Mapps\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\Mapps\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virussca...can_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://ebrdremote.ebrd.com/citrix/wfica.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191100253734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Mapps\Macrium\Reflect\ReflectService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10349 bytes

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:52 PM

Posted 31 August 2008 - 02:14 PM

Hello, mm88.
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • Kaspersky's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 mm88

mm88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 31 August 2008 - 04:39 PM

Hello Billy,

Kaspersky could not find anything in the last 2 scans.
I will run Kaspersky again this night, but I'm afraid it will not find the problem.

I googled "v.freefl.info" (not so many hits :thumbsup: ) and found some suggestions (e.g. here) that it could be a problem of my ISP. What do you think? I have a Linksys router connected to my ISP line, and 2 computers connected with the router. I do not see any double entries with 'arp -a' command...

I will post Kaspersky logs once it is finished. I will scan selected drives, as I have huge ones attached with video files only. Scanning them would take at least full day. Is it OK?

Rgds,
MM

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:52 PM

Posted 31 August 2008 - 04:48 PM

Yes that will be fine :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 mm88

mm88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 02 September 2008 - 12:04 PM

Hi Billy,

I scanned my drives with Kaspersky - nothing new found (see below - there are 2 infected files, but not used).
FYI: C: is my system drive, E: is my user files drive, Z: is my temp files partition.

From time to time (not always) I still see the same line inserted into web pages I visit.
I contacted also my ISP by phone - they were not very clear in replies, but confirmed there was a problem with other (infected) computers in the same LAN I am connected to, and that they were trying to cut them off. However, they did not confirmed directly that I was the cause of what I had observed.
I also checked existing connections ('netstat -ano') - all were legitimate as far as I could tell following computer magazine instructions.

Let me know if you have more ideas what to do.

Now I plan to look carefully at my laptop, where I cannot do whatever I want (it's a company laptop with extra software).

Rgds,
MM


KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 1, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 31, 2008 20:59:52
Records in database: 1172205

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
C:\

Scan statistics
Files scanned 65749
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 00:32:44

File name Threat name Threats count
C:\Mapps\Disk Checker\uninstall.exe Infected: Trojan.Win32.KillWin.md 1

The selected area was scanned.

KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 1, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 31, 2008 20:59:52
Records in database: 1172205

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
E:\

Scan statistics
Files scanned 13787
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 00:25:24

File name Threat name Threats count
E:\MM\Soft\Nero6\Nero-6.6.1.15a.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1

The selected area was scanned.


KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 31, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 31, 2008 20:59:52
Records in database: 1172205

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
Z:\

Scan statistics
Files scanned 886
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:00:14

No malware has been detected. The scan area is clean.
The selected area was scanned.

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:52 PM

Posted 02 September 2008 - 07:22 PM

Yes, this could be caused by your ISP.... this machine does not appear infected.

Try this and see if it helps:

Let's try setting up this machine with OpenDNS
  • Go to Start -> Control Panel -> Network Connections (You may need to click classic view before you can see network connections).
  • Right click on the lan adapter you use to access your LAN.
  • Click on "Internet Protocol (TCP/IP)".
  • Click "Properties"
  • Click the radio button that is labeled "Use the following DNS server addresses:"
  • Enter the following numbers for primary and secondary server:
    • 208.67.222.222
    • 208.67.220.220
  • Then press OK a bunch of times, and close Network Connections and Control Panel.
  • REBOOT!!
Then see if things continue :thumbsup:

Please post a new HJT log after you have done this.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:52 PM

Posted 06 September 2008 - 10:25 PM

Hello, mm88.
Are you still here?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:52 PM

Posted 07 September 2008 - 10:33 PM

Hello, maxin.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users