Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Your computer infected Popup Red X - Trojan?


  • This topic is locked This topic is locked
14 replies to this topic

#1 browner

browner

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 14 October 2008 - 02:10 PM

Hi everyone, i hope someone can help. My pc got infected on Sunday, its a red X symbol in the quick launch bar - and when you hover the mouse over the symbol the pop up box reads:


"Your computer is infected. Windows has detcted spyware infection. It is recommended to use special antispyware tools to pervent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!"

i've gone through the procedures in the Preparation guide on this site but still had no luck getting rid of the virus. My F-secure antivirus programme has highlighted svchost.exe, Win32 perflogger and Trojan Dowloader Win32/agent as possible risks but is unable to delete/disinfect any of these. I've attached the Hijack log, any help would be greatly appreciated.

On a side note, for some reason my keyboard won't operate in the boot screen before entering safe mode, so i can't get into safe mode to make any changes. Its a Logitech keyboard - its power lights don't seem to come on until the Windows XP symbol is already on the screen.

Thanks in advance


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:56, on 14/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\brastk.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4dfb-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKLM\..\Run: [svchots] C:\WINDOWS\system32\svchots.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] "C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe" /START
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 10703 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 AM

Posted 15 October 2008 - 02:47 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 browner

browner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 15 October 2008 - 01:19 PM

Thanks for your help, i really appreciate your time and effort. I've backed up my important files in case of a failure. i've followed the procedures as you outlined, the reports are as follows

hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:16:18, on 15/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4dfb-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [svchots] C:\WINDOWS\system32\svchots.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 10026 bytes


Combofix

ComboFix 08-10-15.01 - pjb 2008-10-15 18:34:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1044 [GMT 1:00]
Running from: C:\Documents and Settings\pjb\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\pjb\Application Data\inst.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Sysvxd.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.

2008-10-15 03:02 . 2008-10-15 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-10-15 01:51 . 2008-09-08 11:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 01:50 . 2008-08-14 11:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 01:50 . 2008-08-14 11:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 01:50 . 2008-08-14 10:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 01:50 . 2008-08-14 10:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 01:50 . 2008-09-15 13:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-14 22:21 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-10-14 22:18 . 2008-10-14 22:18 <DIR> d-------- C:\Program Files\Panda Security
2008-10-14 19:53 . 2008-10-14 19:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-14 06:46 . 2008-10-14 07:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-14 06:46 . 2008-10-14 22:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-13 21:43 . 2008-10-13 21:43 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-13 21:43 . 2008-10-13 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-13 21:42 . 2008-10-13 21:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-13 21:28 . 2008-10-13 21:28 0 --a------ C:\WINDOWS\system32\web.dat
2008-10-12 23:59 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-12 20:03 . 2008-06-25 14:41 79,904 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-10-12 20:02 . 2008-10-15 18:12 <DIR> d-------- C:\Program Files\F-Secure Internet Security
2008-10-12 20:01 . 2008-10-12 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-10-12 20:00 . 2008-10-12 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\f-secure
2008-10-12 19:23 . 2008-10-12 19:29 <DIR> d-------- C:\WINDOWS\system32\dt
2008-10-12 19:16 . 2008-10-13 07:11 <DIR> d--hs---- C:\WINDOWS\system32\YOF
2008-10-12 16:31 . 2004-08-04 13:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-10-12 16:31 . 2004-08-04 13:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-10-12 14:12 . 2008-10-13 03:34 <DIR> d-------- C:\Documents and Settings\pjb\Application Data\HouseCall 6.6
2008-10-12 14:10 . 2008-10-13 21:18 717 --a------ C:\WINDOWS\system32\wini104552663.exe
2008-10-12 14:09 . 2008-10-13 06:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\enkrqteb
2008-10-11 16:05 . 2008-10-11 16:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-11 16:05 . 2008-10-11 16:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-05 18:18 . 2008-10-05 18:18 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 17:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-10-13 05:48 --------- d-----w C:\Documents and Settings\pjb\Application Data\F-Secure
2008-10-11 11:06 --------- d-----w C:\Documents and Settings\pjb\Application Data\uTorrent
2008-10-03 21:20 --------- d-----w C:\Documents and Settings\pjb\Application Data\AdobeUM
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-30 10:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-08-29 17:44 --------- d-----w C:\Program Files\Common Files\Logitech
2008-08-29 17:44 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-08-29 17:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-29 17:36 15,103 ----a-w C:\WINDOWS\system32\msiclass.dll
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-18 19:35 --------- d-----w C:\Documents and Settings\Family\Application Data\AdobeUM
2008-08-17 13:28 --------- d-----w C:\Program Files\Java
2008-08-16 17:12 --------- d-----w C:\Program Files\Avanquest update
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-31 18:25 47,360 ----a-w C:\Documents and Settings\pjb\Application Data\pcouffin.sys
2008-07-30 17:07 28,160 ----a-w C:\WINDOWS\hwuser.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 406016]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 5562368]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-08-15 652528]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"svchots"="C:\WINDOWS\system32\svchots.exe" [2007-10-12 417792]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" [2008-06-25 182936]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2008-06-25 957024]
"nwiz"="nwiz.exe" [2005-04-01 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-03-15 53248]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-02-12 114688]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-26 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.WJPG"= wb9967.dll
"vidc.i420"= i420vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-06-25 79904]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 F-Secure HIPS;F-Secure HIPS Driver;C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys [2008-06-25 66720]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2008-06-25 72288]
R3 FSORSPClient;F-Secure ORSP Client;C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe [2008-06-25 55904]
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys [ ]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-07-16 140416]
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [ ]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [ ]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [ ]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [ ]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [ ]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);C:\WINDOWS\system32\DRIVERS\s3017bus.sys [2007-12-10 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s3017mdfl.sys [2007-12-10 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s3017mdm.sys [2007-12-10 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s3017mgmt.sys [2007-12-10 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);C:\WINDOWS\system32\DRIVERS\s3017nd5.sys [2007-12-10 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s3017obex.sys [2007-12-10 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);C:\WINDOWS\system32\DRIVERS\s3017unic.sys [2007-12-10 110120]
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [ ]
S3 USBW9967;W9967, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\2kw9967.sys [2002-04-20 105648]
S3 WLAN_USB; Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\wlanUSB.sys [2002-01-17 50176]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2008-06-25 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2008-06-25 25184]
.
Contents of the 'Scheduled Tasks' folder

2008-09-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-McAfee QuickClean Imonitor - C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\pjb\Application Data\Mozilla\Firefox\Profiles\h45fndb7.Peter\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 19:02:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\FWES\program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-10-15 19:15:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-15 18:14:54

Pre-Run: 74,976,337,920 bytes free
Post-Run: 76,726,628,352 bytes free

236 --- E O F --- 2008-10-15 02:04:12

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 AM

Posted 15 October 2008 - 01:57 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\svchots.exe
C:\WINDOWS\system32\wini104552663.exe
Folder::
C:\Documents and Settings\All Users\Application Data\enkrqteb
Filelook::
C:\WINDOWS\hwuser.dll
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntkrnlpa.exe
C:\WINDOWS\system32\wininet.dll
Dirlook::
C:\WINDOWS\system32\YOF
C:\WINDOWS\system32\dt
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svchots"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 browner

browner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 15 October 2008 - 03:13 PM

Hi, here are the logs

ComboFix 08-10-15.01 - pjb 2008-10-15 21:05:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1017 [GMT 1:00]
Running from: C:\Documents and Settings\pjb\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\pjb\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\svchots.exe
C:\WINDOWS\system32\wini104552663.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\enkrqteb
C:\WINDOWS\system32\svchots.exe
C:\WINDOWS\system32\wini104552663.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.

2008-10-15 03:02 . 2008-10-15 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-10-15 01:51 . 2008-09-08 11:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 01:50 . 2008-08-14 11:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 01:50 . 2008-08-14 11:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 01:50 . 2008-08-14 10:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 01:50 . 2008-08-14 10:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 01:50 . 2008-09-15 13:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-14 22:21 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-10-14 22:18 . 2008-10-14 22:18 <DIR> d-------- C:\Program Files\Panda Security
2008-10-14 19:53 . 2008-10-14 19:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-14 06:46 . 2008-10-14 07:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-14 06:46 . 2008-10-14 22:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-13 21:43 . 2008-10-13 21:43 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-13 21:43 . 2008-10-13 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-13 21:42 . 2008-10-13 21:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-13 21:28 . 2008-10-13 21:28 0 --a------ C:\WINDOWS\system32\web.dat
2008-10-12 23:59 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-12 20:03 . 2008-06-25 14:41 79,904 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-10-12 20:02 . 2008-10-15 18:12 <DIR> d-------- C:\Program Files\F-Secure Internet Security
2008-10-12 20:01 . 2008-10-12 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-10-12 20:00 . 2008-10-12 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\f-secure
2008-10-12 19:23 . 2008-10-12 19:29 <DIR> d-------- C:\WINDOWS\system32\dt
2008-10-12 19:16 . 2008-10-13 07:11 <DIR> d--hs---- C:\WINDOWS\system32\YOF
2008-10-12 16:31 . 2004-08-04 13:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-10-12 16:31 . 2004-08-04 13:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-10-12 14:12 . 2008-10-13 03:34 <DIR> d-------- C:\Documents and Settings\pjb\Application Data\HouseCall 6.6
2008-10-11 16:05 . 2008-10-11 16:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-11 16:05 . 2008-10-11 16:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-05 18:18 . 2008-10-05 18:18 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 18:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-10-13 05:48 --------- d-----w C:\Documents and Settings\pjb\Application Data\F-Secure
2008-10-11 11:06 --------- d-----w C:\Documents and Settings\pjb\Application Data\uTorrent
2008-10-03 21:20 --------- d-----w C:\Documents and Settings\pjb\Application Data\AdobeUM
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-30 10:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-08-29 17:44 --------- d-----w C:\Program Files\Common Files\Logitech
2008-08-29 17:44 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-08-29 17:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-29 17:36 15,103 ----a-w C:\WINDOWS\system32\msiclass.dll
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-18 19:35 --------- d-----w C:\Documents and Settings\Family\Application Data\AdobeUM
2008-08-17 13:28 --------- d-----w C:\Program Files\Java
2008-08-16 17:12 --------- d-----w C:\Program Files\Avanquest update
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-31 18:25 47,360 ----a-w C:\Documents and Settings\pjb\Application Data\pcouffin.sys
2008-07-30 17:07 28,160 ----a-w C:\WINDOWS\hwuser.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\hwuser.dll -- Unable to find file version info.
MD5: 416b0da27709ff661f3a92ba3aea35d1


---- C:\WINDOWS\system32\drivers\beep.sys ----
Company: Microsoft Corporation
File Description: BEEP Driver
File Version: 5.1.2600.0 (XPClient.010817-1148)
Product Name: Microsoft© Windows© Operating System
Copyright: ¸ Microsoft Corporation. All rights reserved.
Original file name: beep.sys
MD5: da1f27d85e0d1525f6621372e7b685e9


---- C:\WINDOWS\system32\ntkrnlpa.exe ----
Company: Microsoft Corporation
File Description: NT Kernel & System
File Version: 5.1.2600.5657 (xpsp_sp3_gdr.080814-1236)
Product Name: Microsoft© Windows© Operating System
Copyright: ¸ Microsoft Corporation. All rights reserved.
Original file name: ntkrnlpa.exe
MD5: 4ac58f03eb94a72809949d757fc39d80


---- C:\WINDOWS\system32\ntoskrnl.exe ----
Company: Microsoft Corporation
File Description: NT Kernel & System
File Version: 5.1.2600.5657 (xpsp_sp3_gdr.080814-1236)
Product Name: Microsoft© Windows© Operating System
Copyright: ¸ Microsoft Corporation. All rights reserved.
Original file name: ntoskrnl.exe
MD5: eeaf32f8e15a24f62becb1bd403bb5c5


---- C:\WINDOWS\system32\wininet.dll ----
Company: Microsoft Corporation
File Description: Internet Extensions for Win32
File Version: 7.00.6000.16735 (vista_gdr.080820-1506)
Product Name: Windows© Internet Explorer
Copyright: ¸ Microsoft Corporation. All rights reserved.
Original file name: wininet.dll
MD5: ef8eba98145bfa44e80d17a3b3453300

---- Directory of C:\WINDOWS\system32\dt ----


---- Directory of C:\WINDOWS\system32\YOF ----

2008-10-13 06:58 7351994 --a------ C:\WINDOWS\system32\YOF\FMJA.009
2008-10-12 23:58 19144 --a------ C:\WINDOWS\system32\YOF\FMJA.005
2008-10-12 23:51 1960 --a------ C:\WINDOWS\system32\YOF\FMJA.002
2008-10-12 19:16 592 --a------ C:\WINDOWS\system32\YOF\FMJA.001
2008-10-12 19:16 425984 --a------ C:\WINDOWS\system32\YOF\AKV.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 406016]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 5562368]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-08-15 652528]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" [2008-06-25 182936]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2008-06-25 957024]
"nwiz"="nwiz.exe" [2005-04-01 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-03-15 53248]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-02-12 114688]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-26 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.WJPG"= wb9967.dll
"vidc.i420"= i420vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-06-25 79904]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 F-Secure HIPS;F-Secure HIPS Driver;C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys [2008-06-25 66720]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2008-06-25 72288]
R3 FSORSPClient;F-Secure ORSP Client;C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe [2008-06-25 55904]
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys [ ]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-07-16 140416]
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [ ]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [ ]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [ ]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [ ]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [ ]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);C:\WINDOWS\system32\DRIVERS\s3017bus.sys [2007-12-10 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s3017mdfl.sys [2007-12-10 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s3017mdm.sys [2007-12-10 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s3017mgmt.sys [2007-12-10 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);C:\WINDOWS\system32\DRIVERS\s3017nd5.sys [2007-12-10 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s3017obex.sys [2007-12-10 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);C:\WINDOWS\system32\DRIVERS\s3017unic.sys [2007-12-10 110120]
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [ ]
S3 USBW9967;W9967, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\2kw9967.sys [2002-04-20 105648]
S3 WLAN_USB; Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\wlanUSB.sys [2002-01-17 50176]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2008-06-25 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2008-06-25 25184]
.
Contents of the 'Scheduled Tasks' folder

2008-09-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 21:08:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-10-15 21:11:45
ComboFix-quarantined-files.txt 2008-10-15 20:10:43
ComboFix2.txt 2008-10-15 18:15:04

Pre-Run: 76,700,966,912 bytes free
Post-Run: 76,687,310,848 bytes free

238 --- E O F --- 2008-10-15 02:04:12


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:12:16, on 15/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4dfb-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 9823 bytes


Thanks

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 AM

Posted 16 October 2008 - 12:18 AM

Hi,

Can you upload the following file at Virustotal as well?
http://www.virustotal.com/en/indexf.html

C:\WINDOWS\system32\YOF\AKV.exe

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Then, Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 browner

browner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 16 October 2008 - 11:38 AM

hi, i've not managed to compelte these tasks yet as i can't find the YOF AKV file when i try to upload it on virus total. i can find it when running a search on Windows. can i make a copy of the folder, save it to desktop then upload that?

Thanks

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 AM

Posted 16 October 2008 - 01:16 PM

Hi,

The file is most probably hidden, so Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 browner

browner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 16 October 2008 - 03:34 PM

Hi,

the virus total result was as follows

File AKV.exe received on 10.16.2008 20:25:43 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.10.17.0 2008.10.16 -
AntiVir 7.9.0.4 2008.10.16 SPR/Ardamax.GA
Authentium 5.1.0.4 2008.10.16 -
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.16 Ardamax.AER
BitDefender 7.2 2008.10.16 Application.Keylogger.Ardamax.S
CAT-QuickHeal 9.50 2008.10.16 -
ClamAV 0.93.1 2008.10.16 -
DrWeb 4.44.0.09170 2008.10.16 -
eSafe 7.0.17.0 2008.10.16 -
eTrust-Vet 31.6.6150 2008.10.16 -
Ewido 4.0 2008.10.16 Not-A-Virus.Monitor.Win32.Ardamax.ga
F-Prot 4.4.4.56 2008.10.16 -
F-Secure 8.0.14332.0 2008.10.16 Monitor.Win32.Ardamax.ga
Fortinet 3.113.0.0 2008.10.16 Keylog/Ardamax
GData 19 2008.10.16 Application.Keylogger.Ardamax.S
Ikarus T3.1.1.44.0 2008.10.16 not-a-virus:Monitor.Win32.Ardamax.ah
K7AntiVirus 7.10.497 2008.10.16 not-a-virus:Monitor.Win32.Ardamax.ga
Kaspersky 7.0.0.125 2008.10.16 not-a-virus:Monitor.Win32.Ardamax.ga
McAfee 5406 2008.10.16 Keylog-Ardamax.dll
Microsoft 1.4005 2008.10.16 -
NOD32 3528 2008.10.16 a variant of Win32/KeyLogger.Ardamax
Norman 5.80.02 2008.10.16 -
Panda 9.0.0.4 2008.10.16 Application/Ardamax
PCTools 4.4.2.0 2008.10.16 Application.Ardamax_Keylogger
Prevx1 V2 2008.10.16 -
Rising 20.66.32.00 2008.10.16 -
SecureWeb-Gateway 6.7.6 2008.10.16 Riskware.Ardamax.GA
Sophos 4.34.0 2008.10.16 -
Sunbelt 3.1.1728.1 2008.10.16 -
Symantec 10 2008.10.16 Spyware.Ardakey
TheHacker 6.3.1.0.114 2008.10.15 -
TrendMicro 8.700.0.1004 2008.10.16 -
VBA32 3.12.8.7 2008.10.16 -
ViRobot 2008.10.16.1423 2008.10.16 -
VirusBuster 4.5.11.0 2008.10.16 -
Additional information
File size: 425984 bytes
MD5...: 753eed6ba7bca7e1b625d352a5230f6d
SHA1..: db4bf56b23cbbd41d7f95d5f06ea8b062ba4b3cd
SHA256: 68d90fb1c165caa1c6c04d1dd9a29e81a83d52952d608c17284b7215aafcb859
SHA512: abf78a8018039cfc5e7dd6ec4f71bfa58ff16f15e8758a9ed04c026c941cef6d<br>a14ac057d955778a4190f1116b42088aef9c87634f94d5014db6a5401d64fc60
PEiD..: -
TrID..: File type identification<br>Generic Win/DOS Executable (49.9%)<br>DOS Executable Generic (49.8%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x42077e<br>timedatestamp.....: 0x480309e7 (Mon Apr 14 07:38:15 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x4e4a9 0x4e600 6.64 68186089c70ea7416797d1af124f9d22<br>.rdata 0x50000 0xa9a4 0xaa00 6.22 9dd4c51c8352ad5cd0ea01a8ef4caa24<br>.data 0x5b000 0x485c 0x2400 2.87 a580a8b35d3edd4c3d359adfaa589a94<br>.rsrc 0x60000 0xc734 0xc800 5.10 866fda602fb4b3e2bfbf844dea333a3c<br><br>( 10 imports ) <br>&gt; SHLWAPI.dll: UrlUnescapeW, PathFindExtensionW, PathRemoveFileSpecW<br>&gt; COMCTL32.dll: InitCommonControlsEx, ImageList_Create, ImageList_GetImageCount, ImageList_Destroy, ImageList_AddMasked, ImageList_SetImageCount, ImageList_LoadImageW, ImageList_Draw, ImageList_Add, CreateStatusWindowW, ImageList_Replace<br>&gt; SHELL32.dll: SHGetPathFromIDListW, SHBrowseForFolderW, ShellExecuteW<br>&gt; KERNEL32.dll: GetDateFormatW, GetUserDefaultLangID, GetTimeFormatW, MultiByteToWideChar, GetCurrentThreadId, GetFileSize, FileTimeToLocalFileTime, CompareFileTime, WideCharToMultiByte, WaitForSingleObject, FindClose, GetFullPathNameW, FindFirstFileW, FindNextFileW, SetFilePointer, HeapReAlloc, HeapAlloc, HeapFree, GetVersionExA, GetProcessHeap, GetStartupInfoW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapSize, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, LoadLibraryW, Sleep, ExitProcess, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InterlockedExchange, LoadLibraryA, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, FlushFileBuffers, CompareStringA, CompareStringW, SetEnvironmentVariableA, InterlockedCompareExchange, IsProcessorFeaturePresent, GetThreadLocale, SetEndOfFile, FileTimeToSystemTime, GetModuleFileNameW, SystemTimeToFileTime, EnterCriticalSection, InterlockedDecrement, GetProcAddress, InterlockedIncrement, InitializeCriticalSection, LeaveCriticalSection, SetLastError, lstrcmpW, CloseHandle, lstrcpyW, DeleteCriticalSection, lstrcmpiW, CreateThread, CreateFileW, lstrlenW, FlushInstructionCache, GetCurrentProcess, RaiseException, FreeLibrary, LoadLibraryExW, ReadFile, FindResourceW, FindResourceExW, GetCurrentProcessId, MulDiv, LoadResource, GetVersionExW, GetLastError, WriteFile, SizeofResource, LockResource, GetModuleHandleW, VirtualQuery<br>&gt; USER32.dll: SetMenuDefaultItem, IsWindow, GetDlgCtrlID, GetMonitorInfoW, GetWindowDC, MessageBoxW, IsMenu, MonitorFromPoint, GetSystemMetrics, GetKeyState, DestroyMenu, GetWindowRect, GetClassNameW, GetMessagePos, ReleaseDC, WindowFromPoint, PeekMessageW, ScreenToClient, PtInRect, InflateRect, GetMenuItemCount, SetRectEmpty, GetSubMenu, GetDlgItem, GetMenuItemInfoW, DialogBoxParamW, LoadCursorW, ScrollWindowEx, SetMenuItemInfoW, IsWindowVisible, DrawFocusRect, TrackPopupMenu, EndDeferWindowPos, GetSysColor, PostMessageW, EnableMenuItem, DeferWindowPos, GetWindowThreadProcessId, CreatePopupMenu, GetWindowTextW, BeginDeferWindowPos, EndDialog, RemoveMenu, RegisterClassExW, UpdateWindow, CreateDialogParamW, UnhookWindowsHookEx, LoadImageW, RegisterWindowMessageW, GetSysColorBrush, GetScrollInfo, GetClassInfoExW, CharLowerW, DestroyCaret, MoveWindow, SetWindowPlacement, CharNextW, SetDlgItemTextW, ShowWindow, GetWindowPlacement, CreateWindowExW, SetScrollPos, GetMenu, GetParent, SendMessageW, GetWindowLongW, DestroyWindow, GetCapture, DispatchMessageW, MapVirtualKeyW, GetKeyNameTextW, CharUpperBuffW, UnregisterClassA, SetWindowLongW, TrackPopupMenuEx, GetActiveWindow, EndPaint, GetDlgItemTextW, SetRect, DefWindowProcW, CallWindowProcW, IsWindowEnabled, BeginPaint, OffsetRect, DrawFrameControl, SetWindowPos, MessageBeep, PostQuitMessage, GetClientRect, SetWindowsHookExW, LoadStringW, SystemParametersInfoW, LoadAcceleratorsW, EnableWindow, DrawTextW, FrameRect, FillRect, DrawEdge, LoadMenuW, LoadStringA, GetWindow, GetFocus, wvsprintfW, LoadBitmapW, CallNextHookEx, CopyRect, AppendMenuW, ReleaseCapture, SetCursor, SetScrollInfo, SetFocus, SetMenu, DestroyCursor, GetCursorPos, InvalidateRect, MapWindowPoints, GetMessageW, SetWindowTextW, SetCapture, TranslateMessage, ModifyMenuW, GetDC<br>&gt; GDI32.dll: GetTextExtentPoint32W, CreatePen, BitBlt, MoveToEx, SetBkColor, LineTo, CreatePatternBrush, DeleteObject, CreateCompatibleDC, CreateDIBitmap, SelectObject, SetBrushOrgEx, SetTextColor, GetStockObject, CreateBitmap, PatBlt, CreateCompatibleBitmap, SetBkMode, GetObjectW, CreateDIBSection, DeleteDC, CreateFontW, CreateFontIndirectW, SetViewportOrgEx<br>&gt; comdlg32.dll: GetSaveFileNameW, GetOpenFileNameW<br>&gt; ADVAPI32.dll: RegQueryInfoKeyW, RegCloseKey, RegDeleteKeyW, RegSetValueExW, RegDeleteValueW, RegCreateKeyExW, RegOpenKeyExW, RegEnumKeyExW<br>&gt; ole32.dll: CoUninitialize, CoInitialize, CoTaskMemAlloc, CoTaskMemFree, CoCreateInstance, CoTaskMemRealloc<br>&gt; OLEAUT32.dll: -<br><br>( 0 exports ) <br>


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, October 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, October 16, 2008 18:24:28
Records in database: 1316742
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 72841
Threat name: 7
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 01:30:37


File name / Threat name / Threats count
C:\Documents and Settings\pjb\.housecall6.6\Quarantine\iinstall25410.exe.bac_a02664 Infected: Trojan-Downloader.Win32.IstBar.ja 1
C:\Documents and Settings\pjb\.housecall6.6\Quarantine\iinstall25410.exe.bac_a02664 Infected: Trojan-Downloader.Win32.IstBar.nn 1
C:\Documents and Settings\pjb\.housecall6.6\Quarantine\iinstall25411.exe.bac_a02664 Infected: Trojan-Downloader.Win32.IstBar.ja 1
C:\Documents and Settings\pjb\.housecall6.6\Quarantine\iinstall25411.exe.bac_a02664 Infected: Trojan-Downloader.Win32.IstBar.nn 1
C:\Documents and Settings\pjb\.housecall6.6\Quarantine\iinstall25412.exe.bac_a02664 Infected: Trojan-Downloader.Win32.IstBar.ja 1
C:\Documents and Settings\pjb\.housecall6.6\Quarantine\iinstall25412.exe.bac_a02664 Infected: Trojan-Downloader.Win32.IstBar.nn 1
C:\Documents and Settings\pjb\Application Data\HouseCall 6.6\Backup\abazifej.exe.bac_a02660 Infected: Trojan.Win32.Obfuscated.gx 1
C:\Documents and Settings\pjb\Application Data\HouseCall 6.6\Backup\beep.sys.bac_a02660 Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Documents and Settings\pjb\Application Data\HouseCall 6.6\Backup\karna.dat.bac_a02660 Infected: Backdoor.Win32.Small.gjm 1
C:\WINDOWS\system32\svchotsr.exe Infected: not-a-virus:Monitor.Win32.Perflogger.bx 1
C:\WINDOWS\system32\YOF\AKV.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ga 1

The selected area was scanned.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 AM

Posted 17 October 2008 - 12:09 AM

Hi,

Navigate to and delete the following folder and file:

C:\WINDOWS\system32\YOF <== folder
C:\WINDOWS\system32\svchotsr.exe <== file - be careful here, do NOT delete svchost.exe, because that one is legitimate. So watch the spelling.

The rest what Kaspersky found are files that Trendmicro Housecall already quarantined, so you may also delete those housecall folders:

C:\Documents and Settings\pjb\.housecall6.6
C:\Documents and Settings\pjb\Application Data\HouseCall 6.6

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 browner

browner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 17 October 2008 - 06:54 PM

Hi, thanks for your help. I've deleted the files as you advised. I'm not getting any pop-ups now and F-Secure doesn't seem to be picking anything up. Do you think i'll be safe to carry out my normal internet activities - online banking etc?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 AM

Posted 18 October 2008 - 12:05 AM

Hi,

Yes, it's safe again, however... you have to change ALL your passwords first, because they may be known.

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 browner

browner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 18 October 2008 - 10:07 AM

Thanks very much for your help, i've made a donation to show my appreciation.

All the best

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 AM

Posted 18 October 2008 - 11:18 AM

You're most welcome and thank you for the donation. Much appreciated :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 AM

Posted 25 October 2008 - 10:02 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users